pm 


uu  m& 


~  SPECIAL  REP C 

Inteliectuai  Pro y 
Protection 


0  February 


t  (»!■ 

1 1  mfUlA  ; 

FT 

y  iT 

i|  [  i  j| 

fWiM 

V  fl  I 

p§  '■  'v- 

t\  ij  i  j 

I  8  L  *  Jfc--'—  1  |  |  ~ 

[Tj 

h, !  [  { i  1 

Smarter  technology  for  a  Smarter  Planet: 

The  cloud  that’s  transforming 
an  industry,  one  fish  at  a  time. 

At  the  University  of  Bari,  a  new  computing  model  is  creating  new  business  models.  Using  an  IBM  SmartCloud'M  their 
team  built  a  solution  that  allows  local  fishermen  to  auction  their  catch  while  still  at  sea.  By  creating  more  demand 
for  the  fishermen’s  product,  the  cloud  has  increased  income  by  25%  while  reducing  time  to  market  by  70%.  Now 
the  team  is  scaling  the  solution  to  create  new  business  models  for  the  winemaking  and  transportation  industries. 
What  can  cloud  do  for  your  business?  A  smarter  planet  is  built  on  smarter  software,  systems  and  services. 


Let’s  build  a  smarter  planet,  ibm.com/cloudsolutions 


February  2012  Vol.  11,  No.  1 


Features... 


22  Brain  Drain 

Cover  Story  I  Intellectual  Prop¬ 
erty  Been  sleeping  OK?  Chances  are 
you’re  not  doing  enough  to  safeguard 
your  firm’s  intellectual  property-a 
major  undertaking  for  nearly  all  com¬ 
panies.  By  Lauren  Gibbons  Paul 


26  Social 
Engineers  Who 
Made  History 

Social  Engineering  Most  new 
scams  are  just  variations  on  old  ideas. 
Here’s  a  quick  history  lesson  for  your 
employees.  ByJoanGoodchild 


Also  Inside... 


2  From  the  Editor 

4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers  debate  the 

flaws  in  cybersecurity  legis¬ 
lation  and  fallout  from  the 

Zappos  breach. 

9  Briefing 

■  Dod  Smart  Cards  In 
The  Crosshairs 

■  Murdoch  Denounces 
Google  as  ‘Piracy  Leader’ 

■  Industry  Fights  Copper 
Thieves  with  New 
Telecoms  Cable 

■  Passwords  Better  Off  Dead 

■  Thieves  Nab  Data  About 
NASA  and  the  Space  Station 

■  Hackers  Threaten  to 
Release  Source  Code 
for  Norton  Antivirus 


16  Data  Destroyers 
Toolbox  Part  of  securing 
information  is  making 
sure  you  get  rid  of  what 
you  don’t  need.  Here's  the 
scoop  on  data  destruction 
options.  ByBobViolino 

30  Mind  Your  IP: 

4  Safety  Tips 
Industry  View 

By  Jason  Clark 

32  Debriefing 

The  Evolution  of 
Authentication 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  M  A  01701-9208.  Periodical  Postage  Rate  at 
Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A7C9.  Copyright  2011  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearingin  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOfor  users  through  theCopyrightClearanceCenter,  provided  thatafee  of  $3.50  percopyofthearticleispaiddirectlytoCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01970.  www.copYright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  artides-followed  by  this  symbol:  t  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  isfree  toqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  for  the  United  Statesand  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is$9to  the  U.S.  and  Canada  and  $15  International.  Please  allow  fourtosixweeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  Illustration  by  Eva  Vazquez 


February  2012  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Network 
Security 
Isolationism 
Must  Die 

Join  me  in  a  small  exercise. 

First,  raise  your  right  hand. 

Now,  lower  your  hand  ONLY  if  all  four 
of  the  following  statements  are  true. 

1.  Your  network  has  no  physical  points  of 
presence.  No  wiring  closets,  no  physical  data 
center. 

2.  The  data  in  your  network  does  not 
represent  any  physical  assets.  No  records  used 
to  track  or  manage  inventory  of  supplies  or 
goods. 

3.  None  of  the  information  in  your  network 
is  also  represented  by  a  paper  record  any¬ 
where  in  the  possession  of  your  company. 

4.  No  human  beings  are  able  to  access  or 
alter  the  data  in  your  network. 

Excellent.  Anyone  able  to  lower  their 
hand?  No?  So  all  of  you  have  your  hands  still 
raised?  I  thought  so. 

Here  is  what  it  means  if  your  hand  is  still 
raised: 

You  have  to  cooperate  with  other  depart¬ 
ments  to  secure  your  information! 

General  counsel!  Records  management! 
Physical  access  control!  Fraud  detection! 
Investigations! 

They  can’t  do  their  jobs  unless  they  com¬ 
municate  with  you.  And  you  can’t  do  your  job 
unless  you  communicate  with  them. 

I’m  still  hearing  this  question  from  time  to 
time-on  Twitter,  at  live  events,  in  article  com- 
ments-when  we  write  about  various  broad 
issues:  “But  what  does  that  have  to  do  with 
network  security?”  It’s  the  Network  Security 


Isolationist  school  of  thought. 

In  this  Special  Issue,  we  take  a  look  at  the 
many  facets  of  securing  intellectual  property 
(IP)-via  legal  safeguards,  timely  data  destruc¬ 
tion,  social  engineering  prevention  and  more. 
IP  protection  is  a  broad  business  goal  and  a 
perfect  illustration  of  why  isolationist  thinking 
doesn’t  work  in  security.  Network  defenses  are 
a  critical  part  of  the  puzzle,  but  only  one  part. 

The  “What  does  that  have  to  do  with 
network  security?”  question  is  a  weirdly 
anti-intellectual,  incurious  thing  to  ask  for  an 
industry  with  roots  in  exploration  and  tinker¬ 
ing  and  pattern-finding.  More  critically,  it  holds 
back  the  network  security  profession,  making 
security  people  appear  to  be  nonparticipants 
in  the  business. 


Ten  years  ago,  this  question  was  the  norm. 
Five  years  ago,  it  was  maybe  a  forgivable  lapse. 
Now,  it’s  just  ridiculous. 

Network  security  isolationism  must  die! 

Or,  expressed  another  way:  Get  your  head 
out  of  your  network! 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 
Jason  Clark,  Sophie  Curtis, 

John  E.  Dunn,  Lauren  Gibbons  Paul, 
Bob  Violino 
DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


IDG  Enterprise 

An  IDG  Communications  Company  *■ 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 

John  Gallant 


BPA 


2  www.csoonline.com  February  2012 


Photo  by  Tim  Llewellyn 


You’ll  never  know 
who’s  plotting  the  next 
cyber  attack  on  your 
business.  But  with  F5, 
you’re  protected. 

Unlike  traditional 
or  so-called  “next 
generation”  firewalls, 
F5  security  solutions 
identify  the  nature 
and  source  of  digital 
traffic  and  quickly 
adapt  to  threats. 

Attacks  are  blocked 
without  shutting  down 
the  works.  Your 
precious  applications 
and  data  remain 
untouched,  and  your 
defenses  evolve  as 
new  threats  appear. 

Learn  more  at 
f5.com/smartersecurity. 


[  FROM  THE  PUBLISHER  ] 


Can  I  Have  A 
Little  Hope? 

I  think  when  we  look  back  at  this  January,  we 
may  view  it  as  a  turning  point  in  how  busi¬ 
nesses  protect  their  intellectual  property 
(IP).  Several  key  things  happened: 

1.  In  response  to  strong  online  protests, 
congressional  sponsors  of  the  Stop  Online 
Piracy  Act  (SOPA)  and  the  Protect  Intellectual 
Property  Act  (PIPA)  announced  that  they 
would  delay  their  bills. 

2.  The  hacker  group  Anonymous  launched 
attacks  against  Polish  government  websites, 
which  led  the  government  to  announce  that 
it  would  be  revisiting  its  support  of  the  Anti- 
Counterfeiting  Trade  Agreement  (ACTA). 

3.  After  the  shutdown  of  Megaupload, 
com,  a  file-sharing  site  where  IP  of  all  kinds 
was  freely  distributed,  Anonymous  launched 
attacks  against  major  media  sites,  including 
the  CBS  and  Universal  Music  websites,  as  weli 
as  the  Department  of  Justice,  the  FBI,  the 
Motion  Picture  Association  of  America  and  the 
Recording  Industry  Association  of  America. 

Until  now,  IP  protection  has  been  a 
crapshoot  at  best.  Businesses  have  layered 
technology  on  technology  in  their  systems  to 
protect  against  IP  theft,  with  varying  degrees 
of  success.  While  there  were  already  laws  on 
the  books  to  protect  IP,  they  were  mostly  inef¬ 
fectual  in  the  Internet  age.  Over  the  past  year, 
that  has  begun  to  change.  Major  owners  of  IP, 
most  notably  the  movie  and  music  industries, 
have  begun  to  push,  successfully,  for  new 
protections  that  would  take  into  account  the 
new  dynamics  created  by  the  Internet. 

I’ll  be  the  first  to  admit  that  SOPA  and  its 
brethren  were  not  stellar  pieces  of  legislation. 
For  the  most  part,  I  think  they  were  designed 
to  be  as  far-reaching  as  possible  with  the 
understanding  that  they  would  probably  get 
whittled  down  during  the  review  process. 
Before  that  happened,  however,  legitimate 
protests  began  to  crop  up,  sharing  citizens’ 


concerns  about  the  scope  of  these  bills.  This  is 
the  old-fashioned  way  to  get  things  done  in  a 
democracy.  No  problem,  right?  Well,  not  until 
Anonymous  jumps  in  and  crashes  the  party. 

Intellectual  property  is  the  capital  upon 
which  businesses  are  built.  If  individuals  and 
businesses  fail  to  protect  IP,  they  won’t  have 
any  firm  basis  on  which  to  operate.  Movie 
studios  might  as  well  stop  making  movies  if 
they’re  just  going  to  be  stolen.  Flow  are  musi¬ 
cians  supposed  to  make  a  living  if  their  music 
is  stolen  and  shared  freely?  It’s  a  decades-old 
discussion  that  I  won’t  rehash  any  further. 

But  when  does  the  Internet  community 
stop  putting  up  with  Anonymous  and  the  like? 


Where  is  the  retribution  against  Anonymous? 
Why  is  it  that  businesses,  law  enforcement  and 
governments  can’t  or  don’t  retaliate  against 
Anonymous?  I  believe  that,  ultimately,  how 
effectively  IP  is  protected  will  be  determined 
by  whether  we  continue  to  tolerate  hacktivists 
and  acquiesce  to  their  extortion. 

I  don’t  make  those  decisions.  I  don’t  even 
influence  those  decisions.  But  I  can  have  hope 
the  people  who  do  make  them  will  make  the 
right  ones. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

3M . C3 

Avigilon . 5 

CARTES  in  North  America  / 
Comexposium . C4 


CSO  . 21 

F5  Networks  Inc . 3 

ISACA . 17 

IBM  Corp . C2 


LogRhythm  . . 11, 13, 15 

Mystery  Guest  Inc . 21 

The  Security  Confab  . . 8 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 

Per  Melker 

East  Coast  Regional  Director, 
Integrated  Sales 

Roz  Burke 

West  Coast  Regional  Director, 
Integrated  Sales 

Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
SVP,  Online  Sales 

Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 

Danieile  Tetreault 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Brett  Ferry,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 
Marketing  &  PR  Manager 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


4  www.csoonline.com  February  2012 


Photo  by  Christopher  Navin 


Get  unprecedented  image  detail  and  never  miss  a  thing 
with  Avigilon’s  end-to-end  surveillance  solutions. 


From  shoplifters  to  potential  false  liability  claims,  you  can  now  capture  it  all  in  high-definition. 
The  Avigilon  Control  Center  software  featuring  High-Definition  Stream  Management  (HDSM) 
technology  combined  with  the  broadest  range  of  megapixel  cameras  (from  1  -  29  MP)  provides 
superior  details  while  requiring  minimal  bandwidth  and  storage.  Our  software  allows  you  to 
search  and  view  an  incident  in  seconds,  along  with  the  ability  to  link  HD  surveillance  footage 
with  transaction  data  to  help  reduce  shrinkage  and  theft.  With  Avigilon  on  your  side,  you  will 
always  get  the  best  evidence. 


aviGiLon 

THE  BEST  EVIDENCE" 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

The  Flaws  in 

Cybersecurity 

Legislation 

have  three  major  issues  with  the 
cybersecurity  legislation  that’s  being 
proposed  in  Congress  these  days: 

1.  It  has  no  teeth.  It  is  just  more 
policy  with  no  accountability  or 
meaningful  penalties  for  noncompliance. 

2.  It  consists  of  paper  audits— more  of 
the  same  useless  audits. 

3.  The  auditors  would  not  be  cyberse¬ 
curity  experts.  This  last  one  is  insane. 

This  nation’s  critical  infrastructure 
(power  grid,  water  supply,  oil  and  gas 
refineries,  and  so  on)  are  run  and  managed 
by  IT  systems  and  software  applications. 
These  systems  and  applications  were  not 
built  with  security  in  mind  and  can  only  be 
tested  and  measured  by  IT  security  tools  in 
the  hands  of  experts. 

Beyond  our  critical  infrastructure,  we 
also  have  thousands  of  IT  systems  and 
software  applications  managing  sensitive 
data— military  secrets,  privacy  information, 
our  wired  and  wireless  communication 
systems,  and  more.  Many  of  these  systems 
are  built  and  managed  by  large  government 
system  integrators. 

Until  we  have  IT-based  policy  that  relies 
on  IT-based  controls,  automated  monitor¬ 
ing  and  real  penalties  for  noncompliance 
(which  means  financial  penalties),  we  will 
continue  to  fail  when  it  comes  to  cyberse¬ 
curity  protection. 

And  we  are  failing,  make  no  mistake 


about  that.  In  2011,  there  were  more  pub¬ 
licly-reported  data  breaches  than  in  any 
year  prior.  Having  spent  10  years  working 
for  various  government  agencies  before 
moving  to  the  private  sector,  I  can  tell  you 
that  the  only  difference  between  2011  and 
prior  years  is  the  “public”  part  of  those 
breaches— they’ve  been  happening  for 
years  to  government  agencies,  systems 
integrators,  and  the  private  sector,  but  most 
were  not  reported  publicly. 

Representative  Jim  Langevin  of  Rhode 
Island  introduced  a  cybersecurity  bill  to 
Congress  last  March.  There  are  four  major 
features  I  like  about  this  bill: 

1.  It  would  give  DHS  the  authority  to 
compel  private  firms  deemed  part  of  the 
critical  infrastructure  to  comply  with  fed¬ 
eral  security  standards. 

2.  The  standards  are  based  on  the  rec¬ 
ommendations  of  cybersecurity  experts 
with  firsthand  knowledge  of  the  reality  of 
the  challenges  facing  each  industry. 

3.  The  mandated  audits  include  IT 
security  products  that  will  test  and  moni¬ 
tor  the  systems  and  applications  for  secu¬ 
rity  holes. 

4.  And  most  importantly,  in  my  opinion, 
it  carries  financial  penalties  for  sub-stan¬ 
dard  audit  results.  This  includes  all  organi¬ 
zations  in  scope,  whether  they  are  federal 
agencies,  systems  integrators  or  members 
of  the  private  sector.  If  you’re  part  of  what  is 
deemed  “critical  infrastructure”  you  must 
comply. 

Unfortunately  for  Rep.  Langevin’s 
bill,  lobbying  and  political  pressures  have 
stalled  it— probably  because  it  includes 
measurable  accountability  and,  for  the  first 
time  in  our  history,  insightful,  practical 
policy  for  cybersecurity  defense. 

—Ed  Adams 


BLOG  POST 

Fallout  From 
Zappos  Breach 

Zappos  —  an  online  shoe 
retailer— suffered  an  attack 
that  compromised  account 
information  for  millions  of  cus¬ 
tomers  and  made  the  company 
part  of  an  unfortunate  statistic. 

Some  security  sources  have  kindly 
offered  me  some  perspective. 

This,  from  Mark  Bower,  data  protec¬ 
tion  expert  and  VP  at  Voltage  Security: 
“The  good  news  is  that  it  looks  like  Zappos’ 
credit  card  information  was  encrypted  or 
not  stored  in  a  way  that  hackers  could  use. 
So  this  is  proof  that  protection  can  help 
with  safeguarding  customer  data  in  the 
event  hackers  get  their  hands  on  it.  More 
merchants  should  be  taking  these  kinds  of 
measures.” 

This,  from  Alan  Hall,  security  expert 
and  director  at  Solera  Networks:  “Without 
full  visibility  of  the  entire  attack,  organi¬ 
zations  can  only  guess  or  assume  that  all 
records  were  taken  and  then  address  their 
response  to  the  full  extent  of  possible  dam¬ 
age— 24  million  in  this  case.  An  appropri¬ 
ate  response  includes  more  detail:  how  did 
they  get  in,  where  did  they  go  and  what 


6  www.csoonline.com  February  2012 


Photo  by  istockphoto 


was  accessed,  seen,  and  removed  from 
the  network?  Until  you  have  a  complete 
record  with  full  packet-level  detail  and 
the  ability  to  reconstruct  every  artifact, 
your  response  is  slow  and  fraught  with 
guesswork,  assumptions  and  misdirected 
resources.  Organizations  should  pinpoint 
the  response  to  the  exact  scene  of  the  crime 
with  full  evidence.” 

One  more,  from  Tomer  Teller,  security 
researcher  and  evangelist  at  Check  Point 
Software  Technologies:  “Though  not  as 
serious  as  compromising  customer  pay¬ 
ment  information,  hackers  can  use  stolen 
customer  data  like  this  to  attempt  similar 
data  thefts.  Having  enough  information 
about  a  person  can  make  it  easier  to  attack 
other  sites.  It’s  troublesome,  considering 
how  many  other  Web  services  can  be  put  in 
jeopardy  by  a  single  incident  like  this.  Even 
so,  Zappos  should  be  commended  for  alert¬ 
ing  their  customers  in  a  timely  fashion.” 

The  best  feedback  I’ve  gotten  thus  far 
comes  from  Teller,  who  offered  these  tips 
for  victims  and  those  who  want  to  avoid 
being  victims  in  the  future: 

Top  6  Data-Loss 
Prevention  Tips 

1.  Understand  your  organization’s  data 
security  needs.  Have  a  clear  view  and 
record  of  the  types  of  sensitive  data  that 
exist  within  the  organization,  as  well  as 
which  types  of  data  are  subject  to  gov¬ 
ernment  or  industry-related  compliance 
standards. 

2.  Classify  sensitive  data.  Begin  by 
creating  a  list  of  sensitive  data  types  in 
the  organization  and  designating  the  level 
of  sensitivity.  Consider  establishing  a  set 


of  document  templates  to  classify  data  as 
Public,  Restricted  or  Highly  Confidential- 
creating  more  end  user  awareness  about 
corporate  policies  and  what  constitutes 
sensitive  information. 

3.  Align  security  policies  with  business 
needs.  An  organization’s  security  strat¬ 
egy  should  protect  the  company’s  infor¬ 
mation  assets  without  inhibiting  the  end 
user.  Start  by  defining  company  policies 
in  simple  business  terms  that  are  aligned 
with  the  individual  employee’s,  group’s 
or  organization’s  business  needs.  Identity 
awareness  solutions  can  provide  compa¬ 
nies  with  more  visibility  of  their  users  and 
IT  environment  in  order  to  better  enforce 
corporate  policy. 

4.  Secure  data  throughout  its  lifecycle. 

Businesses  should  consider  implementing 
data  security  solutions  that  secure  their 
sensitive  data  in  multiple  forms— correlat¬ 
ing  users,  data  types  and  processes— and 
protect  it  throughout  its  lifecycle:  data  at 
rest,  data  in  motion  and  data  in  use. 

5.  Eliminate  the  compliance  burden. 
Evaluate  government  and  industry-driven 
compliance  mandates  and  how  they  affect 
an  organization’s  security  and  business 
flow.  Consider  implementing  solutions 
with  best-practice  policies  customized 
to  meet  specific  regulations,  including 
HIPAA,  PCI  DSS  and  Sarbanes  Oxley,  for 
fast  prevention  on  day  one.  Best-practice 
policies  also  enable  IT  teams  to  focus  on 
proactively  protecting  data  beyond  what’s 
required. 

6.  Emphasize  user  awareness  and 
engagement.  Involve  the  user  in  the  secu¬ 
rity  decision  process.  Technology  can  help 
educate  users  about  corporate  policies  and 


HOWTO 
REACH  US 

You  can  contact  us  directly 
or  post  your  thoughts  on 
specific  articles  and  blogs 
at  www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner(Sicxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
Email:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints  and 
copyright  permissions,  please  con¬ 
tact  The  YGS  Group,  800  290-5460, 
ext.  129,  cso@theygsgroup.com. 


empower  them  to  remediate  security  inci¬ 
dents  in  real  time.  Combining  technology 
and  user  awareness  sensitizes  employees 
to  risky  behavior  through  self-learning 
techniques.  —Bill  Brenner 


MORE  ON  THE  WEB 

Wake  Up  With  Salted  Hash 

Your  daily  security  news  cuppa  joe: 
CSOonline’s  Salted  Hash 
blog  and  newsletter  covers 
the  news  as  it  happens. 

http://blogs.csoonline.com/blog/cso 


February  2012  www.csoonline.com  7 


[  CSO  ANNOUNCES  ] 


X 


SECURITY 

CONFAB 

April  15-17,  2012  ::  La  Jolla,  California 


The  The  Security  Confab  is  a  unique 

gathering  of  security  thought  leaders. 

Attend  and  you  will: 

•  Learn  about  new  approaches  to  solving 
complex  security  challenges 

•  Discover  strategies  to  secure  the 
organization  of  the  future 

•  Network  with  industry  thought  leaders 
and  security  experts 

•  Take  home  insights  from  more  than 
30  sessions 

Keynote  Presenters 

Malcolm  Harkins 

CISO,  Intel  Corporation 


Hon.  Dale  Meyerrose 

Major  General,  USAF  (Ret.),  Former 
CIO  for  the  U.S.  Intelligence  Community; 
VP  &  GM,  Cyber  Integrated  Solutions, 
Harris  Corporation 


Securing  Your  Enterprise 
for  the  Future 

As  security  solutions  and  strategies  accelerate 
globally  through  public  and  private  sectors, 
today’s  CSOs  and  information  executives  are 
challenged  to  think  big,  protect  more,  manage 
well,  and  map  security  strategies  to  not  only  the 
enterprise  -  but  to  the  enterprise  that  will  be. 

Register  Today! 

Visit  events.csoonline.com/confab2012/CSO 

for  more  information. 


Produced  by 


CSO 


All  New  Workshop 


Defining  Your  Organization's  Risk  Appetite , 

Securing  Funding ,  and  Getting  Stakeholder  Support 

A  CSO  Executive  Communication  Workshop 

More  and  more  security  executives  are  being  tapped  for  direct  accountability  to  boards  and 
audit  committees.  In  this  workshop,  learn  how  to  effectively  communicate,  negotiate  and  network 
on  that  level. 


“ Google's  role  as  a  piracy  leader  explains  why  it's  pouring 
millions  into  lobbying  against  SOPA.”  page  10 


Edited  by  Bill  Brenner 


DoD 
SMART 
CARDS 
IN  THE 

CROSSHAIRS 

New  malware  is  designed  to  take  advantage 
of  smart  card  readers  running  ActivCIient 

Anew  strain  of  the  Sykipot  maiware  is  being  used  by  Chinese  cyber¬ 
criminals  to  compromise  Department  of  Defense  (DoD)  smart 
cards,  a  new  report  reveals. 

According  to  unified  security  information  and  event  manage¬ 
ment  company  AlienVault,  the  malware  is  designed  to  take  advan¬ 
tage  of  smart  card  readers  running  ActivCIient,  the  client 
application  of  Activldentity. 

Activldentity's  smart  cards  are  standardised  at 
the  DoD  and  a  number  of  other  government  agen¬ 
cies.  The  cards  are  used  to  identify  active-duty  military 
staff,  selected  reserve  personnel,  civilian  employees  and 
eligible  contractor  staff. 

As  with  previous  Sykipot  strains,  the  attackers  use  an 
email  campaign  to  get  specific  targets  to  click  on  a  link  that  deposits 
the  Sykipot  malware  on  their  machines.  After  identifying  the  computers 
that  have  card  readers,  the  attackers  install  keystroke  logging  software 


to  steal  the  PIN  that 
is  used  in  concert  with 
the  smart  card. 

“When  a  card  is  inserted 
into  the  reader,  the  malware  acts 
as  the  authenticated  user  and  can 
access  sensitive  information,”  explains 
AlienVault’s  lab  manager  Jaime  Blasco.  “The  mal¬ 
ware  is  then  controlled  by  the  attackers  and  then  told 
what-and  when-to  steal  the  appropriate  data." 

So  far,  AlienVault  has  seen  attacks  that  compromise  smart  card 
readers  running  Windows  Native  x509  software,  which  is  reportedly  in 
common  use  in  a  number  of  government  agencies  in  the  United  States 
and  among  its  allies. 

This  new  strain  is  thought  to  have  originated  from  the  same  Chinese 
authors  that  created  a  version  of  Sykipot  in  2011,  which  distributed  a 
variety  of  spam  messages  claiming  to  contain  information  on  the  next- 
generation  unmanned  drones  developed  by  the  United  States  Air 
Force. 

In  an  investigation  into  that  earlier  strain  last 
year,  Blasco  suggested  that  the  team  behind  Syki¬ 
pot  was  working  with  an  information  “shopping  list” 
that  included  semiconductor,  medical  and  aerospace 
technology. 

In  a  report  released  least  year,  security  consultancy 
Mandiant  identified  several  cases  where  determined  attack¬ 
ers  were  able  to  get  onto  computers  or  networks  that  required  both 
smart  cards  and  passwords.  Mandiant  called  this  technique  a  “smart 
card  proxy.”  -Sophie  Curtis 


Illustration  by  Carl  Spackler 


February  2012  www.csoonline.com  9 


>>  BRIEFING 


INTELLECTUAL  PROPERTY 

MURDOCH  DENOUNCES 
GOOGLE  AS  ‘PIRACY  LEADER’ 

News  Corp.  founder  says  Google  should  remove  piracy  sites  from  its  search  results 


Media  mogul  Rupert  Murdoch  has  used 
his  new  Twitter  account  to  unleash 
a  stream  of  abuse  against  Google, 
describing  the  search  giant  as  a 
“piracy  leader”  and  labelling  parts  of  its  busi¬ 
ness  model  “plain  stealing.” 

Although  he  described  Google  as  a  “great 
company  doing  many  exciting  things”  Murdoch 
tweeted  that  he  had  “only  one  complaint,  and 
it’s  important.”  He’s  angry  that  Google  does 
not  block  piracy  sites  from  its  search  results, 
allowing  searchers  to  find  sites  where  they  can 
illegally  download  content,  “hurting  writers, 
actors,  all  concerned.” 

Murdoch,  whose  News  Corp.  owns  the 
movie  studio  20th  Century  Fox  and  many 
other  media  outlets,  then  apparently  did  a 
Google  search  for  the  Tom  Cruise  blockbuster 
Mission  Impossible,  and  found  “several  sites” 


promising  free  downloads.  “I  rest  my  case,”  he 
then  tweeted. 

His  comments  were  part  of  a  wider  tirade 
against  the  Obama  administration,  which  he 
accused  of  bending  to  the  will  of  “Silicon  Valley 
paymasters”  over  plans  to  water  down  online 
piracy  legislation. 

In  January,  the  White  House  indicated  that 
it  would  not  proceed  with  the  SOPA  and  PIPA 
anti-piracy  bills,  which  proposed  to  give  the 
state  power  to  interfere  with  the  architecture 
of  the  Web. 

Google,  Yahoo,  Facebook  and  several 
other  large  Web  companies  have  previously 
written  to  the  House  and  Senate  Judiciary 
Committees,  warning  that  the  proposed  laws 
mostly  serve  the  interests  of  Hollywood  and 
the  music  industry,  and  could  result  in  Internet 
censorship.  While  the  companies  agree  that 


new  enforcement  tools  are  needed  to  combat 
copyright  infringement  and  counterfeiting, 
they  say  proposed  bills  go  too  far. 

One  of  the  biggest  concerns  is  that 
SOPA  would  allow  copyright  and  intellectual 
property  owners  to  get  court  orders  forcing 
payment  services  companies  and  online 
advertising  networks  to  cut  off  services  to 
foreign  sites  that  are  deemed  to  be  infringing 
on  copyright. 

Murdoch  suggested  Google’s  role  as  a 
“piracy  leader”  explains  why  the  company  was 
“pouring  millions  into  lobbying”  against  SOPA. 

“This  is  just  nonsense,”  said  a  Google 
spokesperson  in  a  statement.  “Last  year  we 
took  down  five  million  infringing  Web  pages 
from  our  search  results  and  invested  more 
than  $60  million  in  the  fight  against  bad  ads.” 

-S.C. 


i 


10  www.csoonline.com  February  2012 


Photo  by  Kevin  Lamarque/Reuters 


LOSS  PREVENTION 

Industry  Fights 
Copper  Thieves  with 
New  Telecoms  Cable 

Drastically  reduces  amount  of  valuable  copper  in  cable 

The  epidemic  of  telecom  cable  thefts  has  prompted  one  company  to  develop  a 
new  design  that  drastically  cuts  down  on  the  cable’s  copper  content  in  a  bid  to 
deter  metal  thieves. 

The  GroundSmart  copper-clad  steel  cable  is  probably  the  most  radical 
approach  yet  devised  for  combatting  copper  theft.  It  removes  almost  all  the  copper 
grounding  metal  commonly  used  in  networks  to  return  current  to  earth  for  safety 
reasons. 

Unlike  conventional  cables  made  from  solid  copper,  the  GroundSmart  uses  a 
steel  core,  around  which  is  bonded  a  copper  outer  casing.  Together,  the  two  metals 
form  an  equally  effective  but  far  less  valuable  cable. 

The  resulting  cable,  according  to  the  company,  exploits  the  corrosion  resistance 
of  copper  with  the  conductive  properties  of  steel. 

“Companies  trying  to  protect  their  copper  infrastructure  have  been  going  to 

extreme  measures  to  deter 
theft,  many  of  which  are 
neither  successful  nor  cost- 
effective,”  said  CommScope 
Vice  President  Doug  Wells. 

“Despite  efforts  like  these, 
thieves  continue  to  steal  cop¬ 
per  because  of  its  rising  value. 

The  result  is  costly  damage  to 
networks  and  growing  service 
disruptions." 

Other  theft-deterring 
measures  include  etchingthe 
cables  to  aid  in  tracing  the  sto¬ 
len  metal  and  using  chemicals 
that  stain  criminals’  hands  and 
tools  with  a  marker  detectable 
only  under  ultra-violet  light, 
he  said. 

To  alert  thieves  that  the 
cable  is  not  solid  copper,  the 
GroundSmart  cable  can  be  printed  to  indicate  its  composition. 

If  GroundSmart  gains  some  traction,  it  might  come  in  the  nick  of  time.  After 
years  of  price  stability,  copper  prices  started  to  soar  in  2004  as  demand  ramped  up; 
the  metal  is  now  worth  three  to  four  times  as  much  as  it  was  then. 

CommScope  claims  that  copper  theft  costs  ll.S.  companies  $60  million  a  year. 

The  high  price  of  copper  has  also  been  causing  major  problems  in  the  UK  since  at 
least  2008.  That  year,  thieves  broke  into  a  telephone  exchange  belonging  to  telecom 
giant  BT,  stealing  cable  and  other  equipment  and  causing  a  massive  Internet  and 
telephone  outage. 

The  company  has  released  a  video  explaining  the  technology  on  its  website. 

Direct  price  comparisons  between  copper  and  CommScope’s  hybrid  cables  have  not 
yet  been  made  available. 

-John  E.  Dunn 

Photo  by  Getty  Images  February  2012  www.csoonline.com  11 


111 

h 

</) 

>- 

(0 


LagR hythm 

The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 

MySecurityScore .  com 


>>  BRIEFING 


SALTED  HASH 


Passwords  Better  Off  Dead 

CORMAC  HERLEY,  a  principal  researcher  at  Microsoft  Research,  says 
passwords  aren’t  dead  but  they  need  fixing. 

I  think  passwords  are  better  off  dead. 

Hell,  even  Bill  Gates  called  for  the  death  of  passwords,  and  that  was  six 
years  ago. 

My  Network  World  colleague  Tim  Greene  wrote  about  Herley’s  thoughts 
recently  and  this  is  some  of  what  he  said: 

“While  many  call  for  replacing  passwords  altogether  with  something 
else,  they  may  be  doing  so  based  on  little  or  no  hard  evidence,  says  Cormac 
Herley,  a  principal  researcher  at  Microsoft  Research.  Herley’s  premise 
is  that  passwords  are  so  entrenched  and  are  useful  in  so  many  ways  that 
they’re  not  going  away  anytime  soon.  After  all,  if  they  were  totally  ineffec¬ 
tive,  nobody  would  use  them.  Passwords  have  a  lot  of  upsides— they’re  free, 
allow  access  from  any  machine  with  a  browser,  revoking  them  is  simple 
and  it’s  easy  for  users  who  forget  them  to  reset  them— that  make  it  hard  to 
dump  them  altogether.” 

These  are  all  fair  points. 

Completely  replacing  passwords  would  be  extremely  difficult,  and  his 
argument  that  you  can’t  beat  something  that’s  free  and  easy  has  merit. 

But  reading  this  reminded  me  of  a  keynote  Gates  gave  at  RSA  in  2006. 

So  I  dug  up  the  article  I  wrote  about  it  at 
the  time,  when  I  was  working  at  Search- 
Security.  In  it,  I  quoted  Gates  as  saying: 

“Passwords  are  the  weak  link.  We 
need  to  move  in  the  direction  of  smart 
cards,  and  multi-factor  authentication 
must  be  built  into  the  system  itself.  We 
need  the  ability  to  track  what  goes  on 
and  have  a  built-in  recovery  system.” 

While  the  vision  looked  good  on 
paper,  some  attendees  were  skeptical  at 
the  time. 

Microsoft  has  acknowledged  the 
need  to  move  beyond  passwords  before, 
says  Ken  Russ,  a  security  infrastruc¬ 
ture  specialist.  But  the  company’s  last 
attempt  at  authentication  technology, 
the  Passport  single  sign-on  service,  was 
unsuccessful. 

“They  had  to  abandon  their  previous  attempt,  and  establishing  trust 
between  multiple  companies  is  a  difficult  task,”  Russ  says.  “I  don’t  know  if 
any  one  company— including  Microsoft— is  up  to  the  task.” 

Herley’s  comments  suggest  Microsoft  still  isn’t  up  to  the  task,  and  that 
the  company  is  admitting  it.  That’s  admirable. 

But  I’m  not  ready  to  abandon  the  future  Gates  described  so  long  ago. 

Like  everyone  else,  I  have  to  manage  dozens  of  passwords  for  a  variety 
of  websites,  including  online  banking,  my  blogging  platforms,  Twitter, 
Facebook  and  Amazon.  I’ve  worked  hard  to  keep  the  passwords  complex 
and  not  repeat  them  on  multiple  sites,  but  I  have  to  admit  to  getting  mixed 
up  about  which  passwords  go  where  and  to  losing  a  lot  of  them. 

Maybe  that’s  good  for  security,  since  it  forces  me  to  reset  my  passwords 
almost  every  time  I  go  to  a  site,  but  it’s  not 

good  for  on-the-job  efficiency.  ■  csoonline’s  Salted  Hash 

I  can’t  help  but  think  that  there  has  to  I  blog  and  newsletter 
be  a  better  way.  I  covers  the  news  as  it 

—Bill  Brenner  I  happens:  blogs.csoonline 
M  .com/blog/cso 


MALWARE 

Thieves  Nab  Data 
About  NASA  and 
the  Space  Station 

Japanese  space  agency  finds 
a  second  malware  infection 
on  employee’s  PC 

Sensitive  data  on  a  Japanese-designed  space 
vehicle  used  to  supply  the  International 
Space  Station  (ISS)  appears  to  have  been 
compromised  after  the  country’s  space 
agency  admitted  it  had  discovered  a  Trojan  infec¬ 
tion  on  one  of  its  employee’s  computers. 

Japan’s  Aerospace  Exploration  Agency  (JAXA) 
discovered  the  latest  infection  on  Jan.  6.  It  affects 
the  same  employee  whose  PC  was  hit  by  malware 
after  opening  an  infected  attachment  in  July. 

That  infection  was  not  discovered  until  a 
month  later,  and  the  agency  now  believes  that  the 
attack  led  to  the  loss  of  important  data,  including 
as  many  as  1,000  email  addresses,  login  details 
for  the  agency’s  intranet,  and  NASA  documents 


12  www.csoonline.com  February  2012 


Left  photo  by  Wikimedia;  right  by  JAXA 


covering  operation  of  the  ISS. 

Considering  that  the  employee 
has  worked  on  the  JAXA  H-ll  Transfer 
vehicle,  which  is  nicknamed  Konotori, 
the  agency  is  worried  that  the  latest 
infection  could  also  have  allowed 
attackers  to  get  access  to  data  relating 
to  that  project. 

According  to  a  statement  put  out  by 
JAXA  and  translated  by  Japanese  press, 
“Information  stored  in  the  computer 
as  well  as  system  information  that  is 
accessible  by  an  employee  have  been 
leaking  outside.  We  are  now  confirming 
the  leaked  information  and  investigat¬ 
ing  the  cause.” 

The  statement  continues,  “With 
the  above  backdrop,  passwords  for  all 
accessible  systems  from  the  computer 
have  been  immediately  changed  in 
order  to  prevent  any  abuse  of  possibly 
leaked  information,  and  we  are  cur¬ 
rently  investigating  the  scale  of  damage 
and  the  impact.  Also,  all  other  computer 
terminals  are  being  checked  for  virus 
infections." 


The  H-ll  is  an  unmanned  vehicle  used 
to  ferry  supplies  to  the  ISS  and  was  first 
launched  in  2009.  A  second  take-off  was 
scheduled  for  Sunday,  Jan.  22. 

NASA  and  the  ISS  have  a  checkered 
history  when  it  comes  to  hacking  and 
data  breaches. 

Last  November,  a  Romanian  man 
was  arrested  after  being  accused  of 
breaking  into  the  agency’s  servers.  In 
2008,  NASA  confirmed  that  a  laptop 
taken  to  the  International  Space  Station 
had  become  infected  with  a  common 
worm,  Gammima.AG. 

Japan  itself  has  suffered  a  spate 
of  embarrassing  malware  infections 
in  government  systems,  including  an 
attack  on  defense  contractors,  on  its 
politicians  and  on  diplomatic  offices.  As 
with  the  JAXA  attack,  Trojans  designed 
to  steal  data  were  involved  in  each  case; 
a  picture  is  now  building  of  a  concerted 
attack  during  2011  on  the  country’s 
infrastructure  by  criminals  or  a  foreign 
intelligence  service. 

-J.E.D. 


LngRhythm 


The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 

Take  the  Cyber  Threat 
Readiness  Quiz  at: 

MySecurityScore .  com 


February  2012  www.csoonline.com  13 


>>  BRIEFING 


Security 

Wisdom 

Watch 


SOPAand  PIPA  edition 


As  we  were  going  to  press,  debate  con¬ 
tinued  to  rage  over  SOPA  and  PIPA,  anti- 
piracy  legislation  opponents  say  would 
lead  to  widespread  Internet  censorship. 

I  happen  to  share  that  view,  which  has 
influenced  this  month’s  rundown: 

Thumbs  down:  Christopher  Dodd: 
The  former  Connecticut  senator 
and  current  CEO  of  the  Motion  Pic¬ 
ture  Association  of  America  (MPAA) 
suggested  SOPA  and  PIPA  opponents 
are  trying  to  turn  people  into  corporate 
pawns.  That’s  odd  considering  all  the 
money  he’s  accepted  from  big  corpora¬ 
tions  over  the  course  of  his  long  political 
career.  Then  there’s  all  that  money  the 
MPAA  gives  to  members  of  Congress  to 
keep  them  in  line  with  its  agenda. 

Thumbs  up:  Blackout  protesters: 
Wikipedia,  Redditand  others  who 
went  black  on  Jan.  18  to  protest 
SOPA  and  PIPA  opened  themselves 
to  lost  traffic  and  revenue  so  they 
could  make  a  point.  It  was  a  stunt,  but  it 
was  an  admirable  one. 

Thumbs  both  ways:  The  White 
House:  The  administration  says  it 
will  not  support  legislation  that 
allows  for  censorship.  But  can 
we  trust  an  administration  that 
backed  a  defense  appropria¬ 
tions  bill  that  includes  extra  power 
for  the  government  to  detain  Americans 
indefinitely  without  explanation? 

Thumbs  both  ways:  Sen.  Patrick  Leahy: 
The  Vermont  Democrat  called  for  a 
reevaluation  of  PIPA's  DNS  filter¬ 
ing  and  blocking  provision  in 
response  to  mounting  opposi¬ 
tion,  but  as  the  chief  sponsor 
of  PIPA,  one  must  ask  why  he 
thought  such  a  thing  was  OK  in  the 
first  place.  -B.B. 


abstract 

the  PipeFilt  ,  xaceri ai¬ 
ring.  class  GrepFilter  extends  he. 
ntStream  pout  =  new  PrintStream{out ) ; 
iara(new  DataInputStream( in) ,  pattern);  } 

. or(;;)  {  line  =  gis.readLine( ) ;  if  (line 
nother  implementation  fo  PipeFilter  It  imp-i 
-z.  class  Rotl3Pilter  extends  Be  PipeFilt'. 
offer  *  new  byte[512];  int  by  read;  fo  , 

- 1 )  return;  for(int  i  =  0;  i  <.  bytes_read;  i++)  •[ 
-r[i]  =  (byte)  ('a'  +■  { (buffer {i]-' a' )  +  13 
{  buffer [i]  *  (byte)  ('A'  +  ((b.uffer{ 
read);  }  }  }  //  This  class  demonstrates 

mplementation  of  a  Unix-like  grep  command, 
pipe  through  two  //  rotl3  pipes  (which,  < 
filter,  and  sink  infrastructure  defined  ab 
perfo: r  many  useful  //  operations.  Oth* 
’tnes,  and  doing  search-and- 
•cws  lOException  {  if 
'?  1  lename>"  ) ;  Systei 
’.tree  source  *> 

"  «>  {  i* 


CYBERCRIME 


Hackers  Threaten  to 
Release  Source  Code 
for  Norton  Antivirus 


A  hacking  collective  calling  itself  the  Lords  of  Dharmaraja  spent  early 
January  revealing  fragments  of  the  source  code  to  Symantec’s  Norton 
Antivirus  and  also  threatened  to  release  the  code  for  the  whole  program 
last  month. 

Using  the  group’s  Twitter  feed,  which  is  under  the  username  YamaTough,  the 
group  said  it  would  release  the  code  Jan.  17.  Then  on  Jan.  16  the  same  Twitter 
user  announced  the  group  would  instead  release  the  code  to  hackers  to  use  to 
develop  zero-day  exploits.  The  group  also  said  some  of  the  code  it  planned  to 
release  was  part  of  the  Symantec’s  Norton  Utilities  software. 

For  several  days  leading  up  to  these  pronouncements,  the  feed  proclaimed 
that  the  code  release  was  linked  to  a  lawsuit  alleging  that  Symantec  used  scare- 
ware  techniques  to  persuade  users  to  buy  the  full  version  of  its  antivirus  prod¬ 
ucts.  “Today  we  are  going  to  release  Norton  Utilities  sre  to  accompany  Symantec 
lawsuit,”  YamaTough  announced,  without  making  clear  why  the  release  would  in 
any  way  affect  the  case. 

Symantec  confirmed  that  the  group  has  been  leaking  genuine  code  without 
confirming  that  it  was  stolen,  as  the  Lords  of  Dharmaraja  claim,  from  servers 
belonging  to  the  Indian  military. 

The  company  said  leaked  documentation  and  code  dated  back  as  far  as  1999, 
and  some  of  it  was  related  to  Endpoint  Protection  11.0  and  Antivirus  10.2  and  so 
has  no  impact  on  its  current  products. 

Whatever’s  in  the  1.7GB  of  source  code  the  hacker  group  claims  to  have  prob¬ 
ably  won’t  result  in  a  real  security  compromise,  but  it  does  illustrate  the  vulner¬ 
ability  of  data  and  source  code  stored  by  security  vendors  on  third-party  servers. 
It  is  unlikely  to  have  any  bearing  on  the  scareware  lawsuit  against  Symantec. 

-J.E.D. 


14  www.csoonline.com  February  2012 


Illustration  by  Carl  Spackler 


Verbatim... 


Shots  heard  'round  the  security  world 


“Closing 
a  global 
business  in 
reaction  to  single¬ 
issue  national 
politics  is  foolish.” 

-Twitter  CEO  Dick  Costolo, 
on  why  Twitter  didn’t  join 
Wikipedia  and  others  in 
going  dark  to  protest 
SOPAandPIPA 


“If  passed,  this 
legislation  will  harm 
the  free  and  open 
Internet  and  bring  about 
new  tools  for  censorship 
of  international  websites 
inside  the  United  States.” 


-The  Wikimedia  Foundation,  on 
SOPA  and  PIPA,  proposed 
anti-piracy  legislation 


“The  database  that 
stores  your  critical  credit 
card  and  other  payment  data 
was  NOT  affected  or  accessed.” 


-Zappos  CEO  Tony  Hsieh,  in  a  letter  to  customers 
regarding  an  attack  against  Zappos  that 
compromised  account  information  for 
millionsofcustomers 


“There’s 
almost  no 
information  about 
the  attack  method  used 
to  infiltrate  Zappos,  so 
it’s  way  too  early  to  point 
fingers  or  throw  stones  at 
their  security  practices.” 


“Banks 
are  clearly 
aware  of  the  threat 
posed  by  malware,  but 
the  extent  to  which  this 
‘awareness’  encompasses 
mobile  is  something  of  an 
unknown  quantity.  We  have 
identified  that  banks  are 
launching  or  enhancing  new 
digital  banking  channels 
without  a  clearly  defined 


IT  strate 


gy or  budget 
he  onset.” 


from  the  onset. 

-I DC  analyst  Alex 
Kwiatkowski 


-Andrew  Storms,  director 
of  security  operations 
atnCircle 


The  Platform  for 
Cyber  Threat  Defense, 
Detection  &  Response. 


Take  the  Cyber  Threat 
Readiness  Quiz  at: 

MySecurityScore.com 


February  2012  www.csoonline.com 


15 


O  Z IAI3 IS 


TOOLS,  TECHNOLOGIES  AND  TACTICS 

By  Bob  Violino 


Data  Destroyers 

Part  of  securing  information  is  making  sure  you  get  rid  of  what 
you  don’t  need.  Here’s  the  scoop  on  data  destruction  options. 


A  key  part  of  any  information 
security  strategy  is  dispos¬ 
ing  of  data  once  it’s  no  longer 
needed.  Failure  to  do  so  can 
lead  to  serious  breaches  of 
data-protection  and  privacy  policies,  com¬ 
pliance  problems  and  added  costs. 

When  it  comes  to  selecting  ways  to 
destroy  data,  organizations  have  a  short 
menu.  There  are  basically  three  options: 
overwriting,  which  is  covering  up  old 
data  with  information;  degaussing,  which 
erases  the  magnetic  field  of  the  storage 
media;  and  physical  destruction,  which 
employs  techniques  such  as  disk  shredding. 
Each  of  these  techniques  has  benefits  and 
drawbacks,  experts  say. 

Some  organizations  use  more  than 
one  method.  For  example,  microprocessor 
maker  Intel  uses  all  three,  “depending  on 
what  we’re  trying  to  do  and  for  what  pur¬ 
pose,”  says  Malcolm  Harkins,  CISO  and 
vice  president  of  the  IT  group. 

The  data  destruction  market  hasn’t 
changed  much  in  the  past  few  years,  says 
Ben  Rothke,  an  information  security  pro¬ 
fessional  with  extensive  experience  in  data 
destruction.  “If  there  is  any  trend,  it  is  that 
more  firms  are  aware  of  the  importance  of 
data  destruction,”  Rothke  says. 

Still,  some  organizations,  particularly 
smaller  ones,  need  more  education  about 
data  destruction,  according  to  Jay  Heiser, 
an  analyst  at  research  firm  Gartner. 


1 

! 

If 

", 

jL  ib 

• 

f-  ’ 

1 

%  ' 

>1 

v  4 

;4  'S ! 

!  •  tif 

: 

y  / fz 

“We  consider  this  a  very  important  topic, 
but  it  is  not  one  that  Gartner  clients  spend 
a  lot  of  time  asking  us  about,”  Heiser  says. 

“Enterprise  clients  generally  have  a 
pretty  good  idea  of  how  to  deal  with  this; 
the  practices  have  been  relatively  consis¬ 
tent  over  a  period  of  years,  and  it  doesn’t 
generate  a  good  deal  of  attention.” 


Unfortunately,  Heiser  says,  there  are 
still  many  small-to-midsize  businesses  that 
haven’t  fully  thought  through  the  risks  of 
undestroyed  data. 

There  are  also  persistent  questions 
among  all  types  of  companies  about  how 
to  handle  data  that’s  in  the  hands  of  cloud 
computing  providers. 


16  www.csoonline.com  February  2012 


Illustration  by  John  Weber 


a*  Certified  Information 
UlbA  Systems  Auditor' 

An  ISACA*  Certification 


Certified  Information 
Security  Manager' 

- /  - 

An  ISACA'  Certification 


Certified  in  the 
Governance  of 
CGEIT  Enterprise  IT' 

- —h - 

An  ISACA' Certification 


Certified  in  Risk 
and  Information 
CR1SG  Systems  Control™ 

- 1 - 

An  ISACA'®  Certification 


Exam  Date:  9  June  201 2 
Registration  Deadline:  4  April  201 2 

www.isaca.org/certification-CSO 


^ISACA 

Trust  in,  and  value  from,  information  systems 


>>  TOOLBOX 


“The  concern  that  I  am  most  often  asked 
about  by  Gartner  clients  involves  the  treat¬ 
ment  of  data  on  the  part  of  service  vendors, 
especially  software  as  a  service  [SaaS],” 
Heiser  says. 

While  a  traditionally  outsourced  data 
center  provider  will  typically  commit  to 
destroying  data  at  the  end  of  a  contract  and 
confirm  this  destruction  in  writing,  that 
type  of  policy  is  rare  to  nonexistent  for  SaaS, 
Heiser  says. 

“Although  the  storage  architecture  of 
most  SaaS  services  probably  means  that 
data  from  former  customers  will  quickly 
be  written  over  and  soon  become  virtually 
impossible  to  recover,  there’s  no  good  way 
to  know  if  this  is  the  case,”  he  says.  “The 
SaaS  market  also  has  little  or  no  convention 
surrounding  the  treatment  of  former  client 
data  on  backup  media.” 

Cloud  services  will  likely  increasingly 
shape  how  data  destruction  is  perceived 
and  performed  in  the  coming  years,  says 
Ariel  Silverstone,  vice  president  and  CISO 
at  online  travel  services  provider  Expedia. 

“With  the  massive  herd  heading  toward 
cloud,  most  vestigial  physical  destruction 
remnants  are  being  killed  off,”  Silverstone 
says.  “In  other  words,  logical  destruction, 
for  all  but  truly  classified  data,  is  further 
entrenched  as  the  norm.  The  problem  is 
not  destruction  as  much  as  it  is  discovery 
of  the  data.  How  do  we  find  the  data  that  we 
need  to  destroy?” 

As  for  on-premise  data,  organizations 
need  to  consider  several  factors  before 
choosing  a  method  of  destruction,  says  Jeff 
Misrahi,  an  independent  information  secu¬ 
rity  consultant  and  former  CISO. 

The  first  is  the  time  spent  on  data 
destruction.  For  example,  is  this  something 
the  company  does  a  lot,  or  does  it  have  a  lot 
of  disks  to  go  though? 


“With  the  massive 
herd  heading  toward 
cloud,  most  vestigial 
physical  destruction 
remnants  are  being 
killed  off.” 

-ARIEL  SILVERSTONE, 

VP  AND  CISO,  EXPEDIA 


10  Tips  for  Effective  Data 

-  Provide  effective  training,  particularly  for 
more  involved  methods  such  as  degaussing.  Many 
technicians  don’t  know  how  to  use  a  degausser,  says  Ben  Rothke, 
an  information  security  professional.  “They  often  think  you  turn 
it  on  and  put  it  over  the  device  and  you  are  done,”  he  says. 

■  Emphasize  quality  control.  If  your  organization  is  doing  its 
own  data  sanitization,  it  needs  to  have  quality  control  mechanisms 
in  place,  Rothke  says.  Assign  a  separate  technician  to  take  a  random 
sample  of  at  least  10  percent  of  the  deleted  data  and  attempt  to 
recover  information  with  a  commercial  data  recovery  tool. 

-  Keep  duties  separate.  For  example,  have  one  technician 
remove  hard  drives  for  data  destruction  while  another  verifies 
and  documents  that  the  drives  have  been  removed. 

.  Be  aware  of  the  risks  of  data  residing  in  various 
media,  says  Vivian  Tero,  program  director  of  governance, 
risk  and  compliance  infrastructure  at  research  firm  IDC  (a 
sister  company  to  CSO’s  publisher).  “Identify  the  relationships 
across  your  firm’s  data  retention  policies,  the  technical  process 
and  underlying  technologies,  and  how  these  map  to  the  firm’s 
IT  security  practice  and  IT  infrastructure,”  she  says. 

■  Because  advances  in  storage  technologies  might  make  some 
destruction  techniques  ineffective,  be  sure  to  take  this 
into  account  when  considering  strategies. 


The  second  is  cost.  Can  the  company 
afford  to  destroy  disks  or  do  they  need  to 
be  reused,  and  can  it  afford  specialized 
destruction  hardware? 

Finally,  think  about  validation  and  cer¬ 
tification.  Is  data  destruction  a  regulatory 
compliance  requirement? 

Here’s  a  look  at  some  of  the  advantages 
and  disadvantages  of  the  three  main  meth¬ 
ods  of  data  destruction. 

Overwriting 

One  of  the  most  common  ways  to  address 
data  remanence— the  residual  representa¬ 
tion  of  data  that  remains  on  storage  media 
after  attempts  erase  it— is  to  overwrite  the 
media  with  new  data. 

Because  overwriting  can  be  done  by 
software  and  can  be  used  selectively  on  part 
or  all  of  a  storage  medium,  it’s  a  relatively 


easy,  low-cost  option  for  some  applications, 
experts  say. 

Among  the  biggest  advantages  of  this 
method,  Rothke  says,  is  that  a  single  pass 
is  adequate  for  data  removal,  as  long  as  all 
data  storage  regions  are  addressed. 

Software  can  also  be  configured  to  clear 
specific  data,  files,  partitions  or  just  the  free 
space  on  storage  media.  Overwriting  erases 
all  remnants  of  deleted  data  to  maintain 
security,  Rothke  says,  and  it’s  an  environ¬ 
mentally  friendly  option. 

On  the  downside,  Rothke  notes,  it  takes 
a  long  time  to  overwrite  an  entire  high- 
capacity  drive.  This  process  might  not 
be  able  to  sanitize  data  from  inaccessible 
regions  such  as  host-protected  areas.  In 
addition,  there  is  no  security  protection 
during  the  erasure  process,  and  it  is  sub¬ 
ject  to  intentional  or  accidental  parameter 


is  www.csoonline.com  February  2012 


I 


Destruction 


-  Understand  where  critical  assets  are  located,  taking 
into  account  that  the  same  content  can  reside  in  multiple  applications 
and  several  forms  of  storage  media.  Audit  the  storage  media, 
applications  and  systems  that  may  contain  personal  information. 

-  Consider  privacy,  retention  and  e-discovery  rules  when 
planning  data  destruction  protocols,  Tero  says,  companies 
with  international  operations  need  to  adopt  data  privacy  practices  that 
meet  the  local  requirements.  “Data  privacy  should  be  viewed  as  a  critical 
component  of  a  firm’s  information  management  practice,”  she  says. 

-  Formalize  and  document  your  company’s  practices 

for  handling  the  disposition  of  data  for  failed  media  and  during 
application  retirement  and  platform  or  device  upgrades.  Adopt 
consistent  standard  practices  for  enforcing  data  security  policies 
in  failed  and  decommissioned  media  across  data  centers. 

-  When  employing  a  cloud  service,  have  clearly  defined  language 
in  service  agreements  that  dictates  data  destruction  protocols 

or  governs  the  return  of  the  data  in  usable  form  to  the  owner,  in  the 
event  that  one  party  chooses  to  end  the  relationship,  Tero  says. 

■  Whichever  method  of  data  destruction  you  choose,  make  sure 
the  processes  and  procedures  in  place  are  sound, 

says  Malcolm  Harkins,  CISO  and  vice  president  of  the  IT  group  at 
Intel.  Also  make  sure  the  people  overseeing  and  performing  the  data 
destruction  are  qualified  to  handle  that  particular  type  of  destruction. 


changes.  Overwriting  might  require  a  sep¬ 
arate  license  for  every  hard  drive,  and  the 
process  is  ineffective  without  good  quality 
assurance  processes. 

Another  factor  to  consider  is  that  over¬ 
writing  works  only  when  the  storage  media 
is  not  damaged  and  is  still  writable,  says 
Vivian  Tero,  program  director  for  gover¬ 
nance,  risk  and  compliance  infrastructure 
at  research  firm  IDC  (a  sister  company  to 
CSO’s  publisher). 

“Media  degradation  will  render  this 
[method]  ineffective,”  Tero  says.  Nor  will 
overwriting  work  on  disks  with  advanced 
storage-management  features,  she  says. 
“For  example,  the  use  of  RAID  means  that 
data  is  written  to  multiple  locations  for 
fault  tolerance,  which  means  that  remnants 
of  the  data  are  scattered  in  the  enterprise 
storage  architecture,”  Tero  says. 


Security  practitioners  point  out  that 
while  overwriting  is  cost  effective,  it’s  not 
free.  “Overwriting  is  definitely  cheaper 
[than  other  methods],  but  you  still  have  to 
have  the  headcount  to  manage  it,  so  there 
are  costs  there,”  Harkins  says. 

By  following  standards  created  by  the 
Department  of  Defense  and  the  National 
Institute  of  Standards  and  Technology, 
“you  can  be  pretty  sure  the  [overwritten] 
data  will  be  unreadable  and  unusable,” 
Harkins  says.  “There  are  studies  I’ve  seen 
where  people  will  prove  that  they  can  find 
stuff  on  drives  that  are  overwritten.  But 
I  think  if  you  follow  the  standards  you 
greatly  minimize  the  likelihood  that  that 
would  be  case.” 

Still,  Harkins  says,  overwriting  is  by 
no  means  foolproof.  There  are  areas  where 
errors  might  occur  and  the  data  might  not 


be  fully  overwritten.  “In  the  wrong  hands, 
someone  might  still  be  able  to  recover  the 
data,”  he  says. 

Degaussing 

Degaussing  is  the  removal  or  reduction  of 
the  magnetic  field  of  a  storage  disk  or  drive. 
It’s  done  using  a  device  called  a  degausser, 
which  is  specifically  designed  for  the 
medium  being  erased. 

When  applied  to  magnetic  storage 
media  such  as  hard  disks,  magnetic  tape 
or  floppy  disks,  the  process  of  degaussing 
can  quickly  and  effectively  purge  an  entire 
storage  medium. 

A  key  advantage  to  degaussing  is  that 
it  makes  data  completely  unrecoverable, 
making  this  method  of  destruction  par¬ 
ticularly  appealing  for  dealing  with  highly 
sensitive  data. 

On  the  negative  side,  Rothke  says, 
strong  degausser  products  can  be  expen¬ 
sive  and  heavy,  and  they  can  have  especially 
strong  electromagnetic  fields  that  can  pro¬ 
duce  collateral  damage  to  vulnerable  equip¬ 
ment  nearby. 

In  addition,  degaussing  can  create  irre¬ 
versible  damage  to  hard  drives.  It  destroys 
the  special  servo  control  data  on  the  drive, 
which  is  meant  to  be  permanently  embed¬ 
ded.  Once  the  servo  is  damaged,  the  drive 
is  unusable. 

“Degaussing  makes  data  unrecoverable, 
but  it  can  damage  certain  media  types  so 
that  they  are  no  longer  usable,”  Harkins 
says.  “So  if  you’re  reusing  [those  media] 
this  may  not  be  the  right  method.” 

Once  disks  are  rendered  inoperable  by 
degaussing,  manufacturers  may  not  be  able 
to  fix  drives  or  honor  replacement  warran¬ 
ties  and  service  contracts,  Tero  says. 

There’s  also  the  issue  of  securing  media 
during  the  process  of  degaussing.  “If  there 
are  strict  requirements  that  prevent  exit  of 
failed  and  decommissioned  media  from 
the  data  center,  then  the  organization  must 
assign  physical  space  in  the  data  center  to 
secure  the  media  and  equipment  for  the 
disk  eradication”  process,  Tero  says. 

The  effectiveness  of  degaussing  can 
depend  on  the  density  of  drives,  Harkins 
says.  “We  encountered  that  issue  three  or 
four  years  ago  with  hard  drives  in  laptops,” 
he  says.  “Because  of  [technology]  changes 
in  hard  drives  and  the  size  of  them,  we 
found  that  some  of  the  degaussing  eapabili- 


February  2012  www.csoonline.com  19 


>>  TOOLBOX 


A  Sampling  of  Data  Destruction 
Products  and  Services 


Company 

Website 

Product  or  service 

Overwriting 

DestructData 

www.destructdata.com 

Enterprise  data  erasure 
software 

CPR  Tools 

www.cprtools.net 

Data  erasure  and 
eradication,  and  verification 

Kroll  Ontrack 

www.krollontrack.com 

Ontrack  Eraser  software 

Degaussing 

Kroll  Ontrack 

www.krollontrack.com 

Ontrack  Eraser  degausser 

Security  Engineered 
Machinery 

www.semshred.com 

NSA  degausser  and  crusher 
bundles 

Data  Killers 

http://datakillers.com 

Degaussing  services 

Physical 

Ensconce  Data  Technology 

www.deadondemand.com 

DigitalShredder 

Destruction 

Security  Engineered 
Machinery 

www.semshred.com 

SEM  Jackhammer  hard 
drive  shredders 

Shred-lt 

.  1  ■  1  -----  1  H 

www.shredit.com 

Hard  drive  and  media 
destruction  services 

Intel  has  found  that  physical 
destruction  is  an  efficient 
method  of  getting  rid 
off  data  when  transporting 
storage  media  for  degaussing 
is  not  practical  or  secure. 


ties  [were]  diminishing  over  time.” 

How  effective  the  method  is  also 
depends  on  the  people  doing  the  degauss¬ 
ing.  “If  people  make  mistakes,  then  your 
control  gets  diminished,”  Harkins  says. 
“Let’s  say  the  person  responsible  for 
degaussing  drives  was  supposed  to  do  it  for 
15  minutes,  but  they  have  to  go  to  lunch  so 
put  it  in  for  five  minutes  instead.  You  could 
have  breakdowns  like  that.”  But  he  con¬ 
cedes  that  all  three  methods  are  susceptible 
to  human  error. 

Physical  Destruction 

Organizations  can  physically  destroy  data 
in  a  number  of  ways,  such  as  disk  shred¬ 
ding,  melting  or  any  other  method  that  ren¬ 
ders  physical  storage  media  unusable  and 
unreadable. 

One  of  the  biggest  advantages  of  this 
method  is  that  it  provides  the  highest 
assurance  of  absolute  destruction  of  the 
data.  There’s  no  likelihood  that  someone 
will  be  able  to  reconstruct  or  recover  the 
data  from  a  disk  or  drive  that’s  been  physi¬ 
cally  destroyed. 

On  the  down  side,  physical  destruction 
can  be  a  costly  way  to  get  rid  of  data,  given 


the  high  capital  expenses  involved. 

“Physical  destruction  [is]  an  expensive 
and  not  a  fiscally  sustainable  long-term 
strategy,”  Tero  says.  “The  approach  also 
contravenes  an  organization’s  green  and 
sustainability  programs.” 

But  Intel  has  found  that  physical 
destruction  is  an  efficient  method  of  getting 
rid  of  data  when  transporting  storage  media 
for  degaussing  is  not  practical  or  secure. 

For  example,  when  the  company  needed 
to  wipe  data  from  thousands  of  drives 
in  multiple  locations,  its  choices  were  to 
either  degauss  at  multiple  sites,  which 
would  have  been  costly,  or  ship  the  drives 
to  a  single  location,  which  would  have  been 
risky  if  the  drives  got  into  the  wrong  hands. 

The  company  ended  up  stockpiling 


thousands  of  old  drives 
while  pondering  how  to 
destroy  them  in  a  way 
that  was  not  prohibitively 
expensive  but  that  still 
resulted  in  the  complete 
destruction  of  the  data. 
Intel  had  been  working 
with  scrap  contractors  that 
melt  down  and  reclaim  pre¬ 
cious  metals,  and  someone  came  up  with 
idea  of  having  them  melt  down  the  hard 
drives  and  recycle  the  metal. 

“There  was  no  cost  impact  to  the  IT  bud¬ 
get,  and  it  was  also  green  because  the  met¬ 
als  were  getting  recycled,”  Harkins  says. 

However,  Harkins  points  out  that  the 
effectiveness  of  physical  destruction  meth¬ 
ods  depends  on  how  much  of  the  medium 
was  actually  destroyed.  “I  might  still  worry 
about  drilling  holes  in  a  hard  drive,”  which 
might  render  the  drive  unusable  but  not 
destroy  the  data  that’s  left  in  unaffected 
spaces,  he  says.  ■ 


Freelance  writer  Bob  Violino  is  a  frequent  con¬ 
tributor  to  CSO.  Send  feedback  to  editor  Derek 
Slater  at  dslater@cxo.com. 


SO  www.csoonline.com  February  2012 


MARKETPLACE 


Stay  Alert  with 

the  CSO  Daily  Dashboard 

visit  http://dashboard.csoonline.com 


CSO  Forum  on  Linked  ED. 

Share  best  practices  and  insight  and 
discuss  your  challenges  with  your 
security  executive  peers. 


The  CSO  Forum  is  where  members  of  the  secu 
community  can  connect  and  collaborate  to  move 
security  and  technology  initiatives  and  careers  fo 
If  you  are  a  senior  security  or  IT  professional,  we’d  I 
to  have  you  join— apply  for  memb 

www.CSOonline. 


Our  company  Mystery  Guest  Inc.  has  a  vacancy 
in  our  office  for  the  post  of  a  team  player  and  a 
shopper. 

Requirements  include  being  computer  literate,  24 
hours  access  to  the  internet  on  a  weekly  basis  and 
must  be  efficient  and  dedicated. 

If  you  are  interested  and  need  more  information, 
contact  Nick  Evarsman, 

Email:  mymistery.hoffan222@gmail.com 


, 

CSO's  E-Mail  Newsletters 

Keep  Up  To  Speed  on  the 

SECURITY  ISSUES  Important  to  Yoi 

Delivered  right  to  your  desktop 

J 

CSO  Update  CSO  Tech  Watch 

A  look  at  the  latest  security  news  and  analysis  on  Twice-monthly  update  on  technologies  for  protecting  networks, 

CSOonline.com,  delivered  twice  a  week.  facilities,  employees,  intellectual  property  and  more. 

S'  CSO  Salted  Hash  Ff  CSO  Security  Leader 

IT  security  news  and  analysis,  over  easy,  delivered  daily.  Monthly  leadership-related  articles  and  reports  from  CSO,  as 

well  as  tips  for  educating  employees  and  corporate  leadership. 

F\  CSO  News  Watch 

a  recap  of  the  week's  top  news  stories.  Fa  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 

IF  CSO  Career  business  continuity  and  disaster  recovery. 

A  twice-monthly  newsletter  of  career  and  leadership- 

oriented  news,  articles  and  events,  plus  job  postings.  Fi  CSO  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks 
and  statistics. 

Sign  up  now  for  CSO’s  complimentary  e-mail  newsletters  ; 

www.CSOonline.com/newsletters  ^ 

CSO 

BUSINESS  RISK  LEADERSHIP 

February  2012  www.csoonline.com  21 


COVER  STORY  |  INTELLECTUAL  PROPERTY 


DRAIN 


Been  sleeping  OK?  Chances  are  you’re  not  doing 
enough  to  safeguard  your  firm’s  intellectual 
property-a  major  undertaking  for  nearly  all 
companies,  by  lauren  gibbons  paul 


LOBAL  HEALTHCARE  PROVIDER  Best  Doctors 
employs  the  most  robust  technologies  and  practices 
available  to  protect  the  privacy  of  its  members’  per¬ 
sonal  data— but  that’s  just  a  part  of  doing  business  in 
this  industry.  Less  obvious  but  equally  important  is  the 
degree  of  vigilance  with  which  the  company  protects  its 
brand  name,  which  is  trademarked  in  dozens  of  coun¬ 
tries  worldwide. 

“Our  distinctive  name  and  logo,  those  two  words  connote  the 
high  quality  of  our  doctors  and  hospitals.  Something  very  simple 
can  be  very  powerful,”  says  Tom  Seaman,  senior  vice  president  and 
general  counsel  for  the  company,  which  provides  health  insurance 
as  well  as  health  advisory  services. 

Though  Best  Doctors  has  a  small  portfolio  of  patents  (including 
a  business  process  patent  it  received  in  the  1990s  when  such  things 
were  in  vogue),  the  firm’s  primary  focus  when  it  comes  to  intellec¬ 
tual  property  protection  is  its  brand,  which  is  trademarked.  “We 
take  extreme  measures  to  protect  it,”  says  Seaman.  His  vigilance  is 
entirely  appropriate. 

This  is  no  time  to  blink.  Many  now  see  intellectual  property  (IP) 
as  one  of  the  most  important  corporate  assets— worthy  of  protec¬ 
tion,  electronic  and  otherwise.  “Targeting  of  IP  is  increasing,”  says 
Gary  Loveland,  partner  at  PricewaterhouseCoopers.  “We’re  seeing 
an  evolution  from  a  hacking  perspective.  Before,  [breaking  in]  was 
just  a  trophy  to  show  you  could  get  access  to  the  data.  Then  there 
was  identity  theft.  Now,  there’s  a  focus  on  IP  because  of  the  profit 
motive.”  Accessing  a  company’s  proprietary  information  provides 
a  quick  path  to  stealing  its  business. 

Daily  headlines  detail  attacks  on  corporate  IP,  especially  when 
the  assaults  are  launched  from  emerging  economies  such  as 


China.  For  example,  security  software  vendor  Symantec  recently 
announced  its  discovery  that  hackers  had  targeted  the  intellectual 
property  of  about  50  organizations,  including  chemical  and  defense 
companies,  in  a  global  wave  of  cyberespionage.  These  attacks  were 
thought  to  be  the  work  of  a  Chinese  man.  Symantec  competitor 
McAfee  also  reported  that  it  detected  that  72  organizations  had 
been  subject  to  cyberattacks  on  IP  last  summer.  Google  disclosed 
its  Aurora  attacks  in  2010.  The  Wall  Street  Journal  recently  reported 
that  the  Chamber  of  Commerce  suffered  a  major  theft  of  informa¬ 
tion,  also  believed  to  have  been  conducted  by  someone  in  China. 
The  full  extent  of  the  damage  from  these  incidents  won’t  be  under¬ 
stood  for  years,  say  experts. 

But  as  scary  as  these  stories  are  (and  they  are  that,  if  you’re  pay¬ 
ing  attention),  they  shouldn’t  eclipse  your  concern  over  a  host  of 
more  mundane  but  potentially  equally  damaging  threats  to  your 
company’s  IP.  The  most  common  scenario,  alas,  is  that  an  employee 
unwittingly  shares  a  trade  secret  or  a  confidential  idea,  or  that  your 
business  partner  forgets  about  a  nondisclosure  agreement  signed 
long  ago.  Social  networks  make  this  scenario  exponentially  more 
likely.  The  problem  is,  most  companies  have  a  broad  range  of  infor¬ 
mation  that  can  be  considered  intellectual  property— though  many 
have  not  taken  the  time  to  properly  identify  it  all— and  protecting 
all  of  it  from  myriad  threats  is  a  daunting  prospect. 

A  number  of  CISOs  contacted  for  this  article  say  their  corporate 
intellectual  property  is  adequately  protected  by  the  standard  data 
security  practices  they  already  have  in  place.  That  could  be  true, 
but  consider:  Much  of  the  attention  in  recent  years  has  focused  on 
protection  of  transactional  data  and  personally  identifiable  infor¬ 
mation  (PII),  such  as  customer  names  and  credit  card  numbers. 
That’s  what  compliance  regimes  such  as  PCI  DSS  address.  Intel- 


lllustration  by  Eva  Vazquez 


February  201 2  www.csoonline.com  23 


COVER  STORY  I  INTELLECTUAL  PROPERTY 


lectual  property  is  much  squishier  and  may 
live  in  different  parts  of  your  network— and 
of  your  filing  cabinets  and  whiteboards  and 
so  on— from  PII.  And  it  is  sometimes  sub¬ 
ject  to  a  different  set  of  legal  protections. 

So  read  on  for  expert  advice  on  connect¬ 
ing  all  the  dots  and  creating  a  more  robust 
IP  protection  program. 

Taking  Stock 

Unless  you  have  already  done  this,  and 
recently,  the  first  thing  you  have  to  do  is 
identify  what  your  IP  consists  of  and  where 
it  resides.  This  is  no  easy  feat,  as  IP  can  be 
deceptively  chameleon-like,  taking  mul¬ 
tiple  forms:  structured  and  unstructured, 
amorphous  and  concrete,  small  shreds 
of  things  or  entire  databases,  thoughts  in 
someone’s  head  or  captured  in  a  document. 
You  need  to  explain  to  your  employees  and 
business  partners  in  particular  what  your 
IP  is,  because  if  you  don’t,  you  can  be  sure 
they  will  share  the  information  haphaz¬ 
ardly  and  thereby  reduce  its  value  (at  best) 
or  jeopardize  the  company  (at  worst). 

Nuance  Communications,  a  $1.3  bil¬ 
lion  software  company,  recently  embarked 
upon  a  major  effort  to  understand  and 
rationalize  its  IP,  says  CSO  Stan  Black. 
This  was  necessary  in  the  wake  of  Nuance’s 
massive  acquisition  spree  over  the  past  five 
years,  in  which  it  bought  up  50  companies. 


“We  have  gone  through  a  significant 
effort  to  understand  what  we  have  in-house, 
what’s  commercial,  where  it  resides,”  says 
Black.  “Due  to  the  speed  at  which  we  iterate, 
it’s  quite  an  effort.” 

After  you’ve  completed  your  IP  inven¬ 
tory,  the  next  step  is  to  map  the  data, 
according  to  Gary  Lynch,  global  head  of 
strategic  consulting  for  Marsh,  a  security 
advisory  company.  “How  does  it  get  created, 
where  does  it  get  created,  what  happens  to 
it?  You  have  to  look  at  all  the  stages  of  data 
formation  and  use  all  the  way  through  to 
disposal,  access,  storage  and  transmis¬ 
sion,”  says  Lynch.  Your  IP  data  map  then 


becomes  your  footprint  for  applying  con¬ 
trols.  (And,  obviously,  the  data  map  itself 
will  be  a  very  sensitive  document  requiring 
excellent  protection.) 

Electronic  protection  of  IP  is  different 
from  protecting  most  other  types  of  infor¬ 
mation  security.  Often  referred  to  as  the 
“corporate  jewels,”  IP  is  so  precious  it  needs 
to  be  protected  at  a  data  and  document  level, 
as  opposed  to  just  at  the  level  of  the  system 
on  which  it  resides.  Unfortunately,  more 
draconian  protections  make  it  difficult  to 
share  the  data,  which  is  the  order  of  the 
day  in  today’s  collaborative  environments. 
“Public  key  infrastructure  and  general 
encryption  are  not  very  usable  in  an  enter¬ 
prise,”  says  Ryan  Kalember,  who  became 
chief  marketing  officer  of  WatchDox  last 
month.  “Users  will  find  their  way  around 
the  controls.” 

On  the  other  hand,  when  you  have  a 
small  amount  of  ultra-secret,  non-shared 
information  to  protect  from  prying  eyes, 
the  task  is  fairly  straightforward:  encryp¬ 
tion  or  data  masking,  two-  or  three-factor 
authentication  and  embedded  access 
controls  you  get  from  a  tool  like  Watch¬ 
Dox  or  Tripwire.  The  latter  tools  repre¬ 
sent  the  future  of  electronic  IP  protection, 
says  Kalember.  “The  protections  must  be 
embedded  in  the  IP  in  a  frictionless  way  for 
the  users.  Otherwise,  it’s  just  the  whack-a- 


mole  we’ve  been  doing  for  years.” 

These  decisions— what  to  count  as  IP 
and  how  and  to  what  degree  to  protect  it— 
should  flow  from  your  business  objectives, 
according  to  Evan  Falchuk,  chief  strategy 
officer  for  Best  Doctors.  “The  way  you 
focus  those  efforts  has  to  fit  into  your  busi¬ 
ness.  Our  business  is  to  make  sure  people 
get  the  right  medical  care.  We  have  to  have  a 
brand  that  people  know  and  recognize  and 
trust.  They  need  to  feel  completely  secure 
when  they  share  information  with  us.  We 
ask,  ‘What  does  it  take  for  our  business  to 
win?’  Our  strategies  flow  from  that,”  says 
Falchuk.  So,  as  mentioned  above,  Best 


Doctors  focuses  on  supporting  its  brand 
name  with  its  IP  protection,  though  it  uses 
comprehensive  IT  security  technologies 
and  practices,  including  requiring  all  new 
employees  to  sign  a  nondisclosure  agree¬ 
ment.  And  everyone  has  to  leave  behind  a 
clean  desk  when  they  go  home  for  the  night, 
part  of  Best  Doctors’  attention  to  seemingly 
minor  details. 

Many  companies  turn  to  the  experts— 
lawyers,  generally— for  help  educating  staff 
and  getting  their  commitment  to  protect 
IP.  Jeff  Feldman  of  Feldman  Gale  is  often 
called  in  to  do  IP  counseling  for  employees. 
Seminars  covering  IP  basics  can  help  the 
organization  immunize  itself  against  the 
virus  of  IP  leakage,  which  can  take  benign- 
looking  forms. 

An  in-house  patent  lawyer  at  a  health¬ 
care  company  laments  the  collegial  way 
doctors  tend  to  share  data.  “It’s  like  an 
academic  environment— they’re  just  try¬ 
ing  to  further  the  cause  of  medicine.  But 
they  don’t  understand  that  the  company 
has  shareholders,  and  the  company  has  to 
make  investment  decisions  for  its  share¬ 
holders,”  he  says.  This  attorney  does  train¬ 
ing  based  on  real-life  scenarios,  telling 
people,  “Don’t  let  this  be  you.” 

Feldman’s  bugaboo  is  idea  misappro¬ 
priation.  He  has  seen  too  many  instances 
where  a  former  employee  tries  to  claim 
credit  for  the  idea  behind  a  product  or 
service.  He  also  cringes  when  content  and 
entertainment  companies  have  no  clear-cut 
idea-submission  policy.  “Follow  the  lead  of 
Google  and  Facebook  and  have  a  policy: 
‘You  send  me  an  idea,  it’s  mine,”’  he  advises. 
Eliminate  the  implied  duty  of  confidential¬ 
ity  right  out  of  the  box,  and  avoid  claims 
down  the  road. 

Cautionary  Tale 

Virtually  everyone  interviewed  for  this 
story  warned  that  IP  is  highly  perishable. 
Once  the  secret  is  out,  it’s  out.  And  the  con¬ 
sequences  can  be  dire. 

Prescott  Winter,  CTO  of  the  public  sec¬ 
tor  for  HP  Enterprise  Security  Products, 
was  advising  a  small  high-tech  company 
that  was  hit  by  the  Google  Aurora  attacks  in 
2010.  This  company  spent  a  significant  por¬ 
tion  of  its  revenue  on  research  and  devel¬ 
opment.  “They  only  had  about  nine  months 
of  profit  on  their  new  products,  about  a  35 
percent  to  40  percent  return  on  invest- 


“[Patients]  need  to  feel  completely  secure 
when  they  share  information  with  us.  We 
ask,  ‘What  does  it  take  for  our  business 
to  win?’  Our  strategies  flow  from  that.” 

-EVAN  FALCHUK,  CHIEF  STRATEGY  OFFICER,  BEST  DOCTORS 


24  www.csoonline.com  February  2012 


Trolls  in  Our  Midst 


Intellectual  property  (IP)  protections 
exist  in  U.S.  law  for  the  purpose  of 
ensuring  inventors  and  creators  are 
compensated  for  their  works,  encour¬ 
aging  innovation. 

Unfortunately,  the  very  protections 
afforded  by  the  federal  government-pat¬ 
ents,  copyrights  and  trademarks-are 
now  often  used  as  weapons  by  companies 
that  exist  only  for  the  purpose  of  shaking 
down  other  companies  for  licensing  fees. 
What  was  created  to  encourage  innova¬ 
tion  is  now  routinely  used  to  stifle  it. 

Patent  trolls  are  arguably  getting 
the  most  press.  Under  this  scheme,  a 
company  gathers  up  rights  to  one  or 
more  patents  (most  often  in  high  tech) 
and  attempts  to  extract  a  fee  from 
“infringing"  companies.  The  problem  is 
that  these  claims  are  often  made  based 
on  groups  of  patents  in  which  it  is  unclear 
exactly  what  is  protected.  These  compa¬ 
nies  are  usually  non-practicing  entities 
that  exist  only  to  attempt  to  extract 
money  from  others. 

Small  companies  that  get  hit  with 
a  trollish  patent  claim  may  well  have 
to  close  their  doors.  Larger  companies 
have  suffered  severe  damage,  too.  These 
suits  are  widely  considered  a  drag  on 
the  economy.  It  is  difficult  to  know  what 
to  do  about  them,  other  than  pay  the 
requested  fees,  which  calls  to  mind 
a  mafia  shakedown.  (In  most  patent 
defense  cases,  the  defendant  coun¬ 


tersues  the  plaintiff;  this  practice  has 
some  chilling  effect  on  frivolous  suits. 
Patent  trolls,  by  contrast,  are  not  doing 
anything  with  their  patents  so  there  is  no 
way  to  countersue.) 

The  courts  recently  struck  a  blow 
against  copyright  trolls  when  they  dis¬ 
missed  numerous  copyright  claims  made 
by  Righthaven,  a  collector  of  rights  to 
online  content.  This  form  of  trolling  does 
not  appear  as  prosperous  as  its  patent 
counterpart.  This  is  true  for  Righthaven, 
at  least,  which  recently  declared  itself 
near  bankruptcy. 

Trademark  or  brand  trolls  run  similar 
schemes  by  registering  Web  domains 
or  Facebook  pages,  or  by  trademarking 
business  names  (typically  those  that  are 
already  in  use  but  are  not  yet  formally 
protected)  in  order  to  extract  payment 
for  their  use. 

These  trolls  are  a  nuisance  to  people 
such  as  Evan  Falchuk  of  Best  Doctors, 
who  sometimes  has  to  shell  out  a  few 
bucks  to  use  a  domain  he  wants. 

Worse,  he  has  encountered  situations 
where  he  tried  to  file  the  company’s 
trademark  in  a  new  country  only  to  find 
the  trademark  claim  has  been  rejected 
as  unfit  by  that  country’s  IP  authori¬ 
ties.  Having  a  rejection  already  on  the 
books  can  make  it  more  difficult  for  Best 
Doctors  to  obtain  its  trademark  in  that 
country. 

-L.G.P. 


ment,”  says  Winter.  After  that,  the  return 
rates  dropped  off.  “The  advantage  they  had 
dissipated  immediately.  They  had  overlap¬ 
ping  nine-  to  12-month  bumps  in  revenue.  If 
three  of  those  high-revenue  product  cycles 
in  a  row  were  to  be  damaged  or  destroyed 
because  a  competitor  gets  the  information, 
game  over.”  Post -Aurora,  the  company  was 
forced  to  shut  down. 

“They  were  unable  to  respond  before 
their  future  was  stolen,”  says  Winter.  “So 
many  companies  are  hanging  by  a  thread.” 
In  the  words  of  the  patent  lawyer,  don’t  let 
this  be  you. 


The  IP  Landscape 

Your  company’s  intellectual  property  may 
encompass  a  wider  range  of  items  than 
you’ve  considered,  including: 

Patents.  This  is  usually  fairly  straight¬ 
forward.  If  your  firm  was  granted  one  or 
more  patents,  you  or  your  legal  depart¬ 
ment  will  be  charged  with  defending  it 
(that  is,  detecting  and  suing  over  possible 
infringement).  Less  clear-cut:  When  other 
companies  or  patent  trolls  claim  your  firm 
is  infringing  their  patents.  It  happens  every 
day.  In  industries  like  high  tech,  compa¬ 
nies  routinely  infringe  each  other’s  pat¬ 


ents  via  reverse-engineering,  according  to 
an  industry  insider,  and  then  negotiate  to 
decide  a  reasonable  licensing  fee  post-facto. 

Copyrighted  material.  When  an 
author  creates  a  written  work,  a  natural 
copyright  (that  is,  the  right  to  exclude  oth¬ 
ers  from  copying  that  work)  arises.  This 
natural  copyright  exists  even  without  reg¬ 
istering  a  formal  copyright  and  using  the 
©  symbol,  but  if  the  document  or  work  is 
important,  you  should  take  the  time  to  reg¬ 
ister  its  copyright. 

Trademarked  names  or  logos.  If 

your  corporate  name  or  logo  carries  a  trade¬ 
mark,  create  usage  policies  for  employees 
and  business  partners  to  follow  or  risk 
diluting  the  value  of  your  IP. 

Ideas.  These  are  amorphous  and  gen¬ 
erally  exist  in  unstructured  form  (often  in 
people’s  heads)  and  so  can  be  difficult  to 
protect.  Most  important  here  is  to  have  a 
written  agreement  in  place  from  the  begin¬ 
ning  of  the  person’s  employment  or  the  start 
of  the  partnership  so  all  parties  understand 
who  owns  what  in  the  case  of  a  later  claim. 

Trade  secrets  (including  recipes, 
ideas,  transcripts,  notes,  presenta¬ 
tions).  This  category  covers  any  manifes¬ 
tation  of  value  to  the  corporation  for  which 
you  prefer  not  to  seek  formal  IP  protec¬ 
tion,  due  to  competitive  or  other  reasons. 
The  object  here  is  to  make  sure  the  secret 
remains  safe  from  prying  eyes.  You  should 
seek  the  highest  information  security  for 
this  type  of  information,  including  encryp¬ 
tion  and  multi-factor  authentication.  And 
don’t  skimp  on  the  employee  and  partner 
education  and  security  policies. 

Mark  Itri,  a  patent  attorney  with  law 
firm  McDermott  Will  and  Emery,  was  on 
a  plane  going  to  visit  a  major  airplane  man¬ 
ufacturer  when  he  overhead  a  conversa¬ 
tion,  apparently  among  employees,  about 
the  schematics  for  the  next  generation  of 
jet  engines. 

“They  were  talking  really  loud.  Every¬ 
one  could  hear.  All  over  the  schematics 
were  the  words  ‘confidential  and  propri¬ 
etary,’”  says  Itri. 

He  promptly  walked  into  the  airplane 
maker’s  offices  and  said,  “This  is  how  you 
lose  your  trade  secrets.” 


Lauren  Gibbons  Paul  is  a  freelance  writer 
based  in  Massachusetts.  Send  feedback  to  edi¬ 
tor  Derek  Slater  at  dslater@cxo.com. 


February  2012  www.csoonline.com  25 


Social 
Engineers 
Who  Made 

History 

Most  new  scams  are  just 
variations  on  old  ideas. 

Here’s  a  quick  history  lesson 
for  your  employees. 

BY  JOAN  GOODCHILD 


Social  engineering  takes  advan¬ 
tage  of  human  psychology  by 
making  the  victim  feel  com¬ 
fortable  and  confident  that 
the  perpetrator  has  their  best 
*  interests  at  heart  and  intends  no  ill  will. 
*  Whether  the  perp  uses  a  badge,  a  com- 
•  puter,  insider  lingo  or  some  other  tactic, 
*  the  psychology  of  social  engineering  is 
•  typically  very  basic. 

Here  are  tales  of  nine  famous  social 
I  engineers  w'ho  made  history  with  their 
*  exploits. 


The  Devil 

THE  ORIGINAL  SOCIAL  engineer, 
according  to  Biblical  accounts,  was  the 
Devil,  who  convinced  Eve  that  God  was 
keeping  his  best  powers  to  himself  by 
forbidding  her  and  Adam  to  eat  from  the 
Tree  of  Life. 

The  Devil  succeeded,  according  to 
Ryan  O’Horo,  a  senior  security  consul¬ 
tant  with  IOActive,  because  he  appealed 
to  Eve’s  greed,  which  O’Horo  calls  one  of 
the  four  main  motivators,  along  with  fear, 
guilt  and  gossip. 

“These  all  appeal  to  the  human  nature 
of  survival,”  says  O’Horo. 

And  social  engineers  know  it. 


26  www.csoonline.com  February  2012 


Illustrations  by  David  Saracino 


SOCIAL  ENGINEERING 


Ulysses 

ULYSSES,  LEADER  OF  the  Greeks, 
fooled  the  Trojans  into  believing  that  he 
and  his  army  had  abandoned  the  siege  of 
Troy  by  leaving  a  gift  outside  the  gates  of 
the  city. 

“It’s  the  original  example  of  prey¬ 
ing  on  people’s  good  nature.  And  that’s 
what  con  men  do,  they  go  after  your  heart 
strings,”  says  Robert  Siciliano,  a  security 
expert  and  McAfee  consultant.  “When 
people  are  given  gifts,  they  feel  inclined 
to  give  back  to  you.” 

Of  course,  in  the  case  of  the  Trojans, 
they  had  no  opportunity  to  give  back. 
After  the  Trojans  pulled  the  horse  inside 
the  fortified  city,  the  Greeks  waited  for 
nightfall,  poured  out  of  their  hiding  place, 
and  sacked  Troy. 

To  this  day,  corporate  employees  will 
still  pick  up  USB  flash  drives  from  the 
parking  lot  and  stick  them  in  their  PCs. 
Does  no  one  study  ancient  history? 

Victor  Lustig 

KNOWN  AS  “THE  man  who  sold  the 
Eiffel  Tower,”  Lustig  was  a  European  con 
artist  who  managed  to  convince  inves¬ 
tors  in  1925  that  the  famous  monument 
was  being  sold  off  for  scrap. 

Using  forged  government  stationery, 
Lustig  invited  six  scrap-metal  dealers  to 
a  confidential  meeting  and  introduced 
himself  as  the  deputy  director-general 


of  the  Ministry  of  Posts  and  Telegraphs. 
He  explained  the  cost  of  maintaining  the 
Eiffel  Tower  was  too  much  for  the  city  of 
Paris,  and  that  officials  wanted  to  sell  it 
for  scrap. 

“Not  everyone  believed  him,  but  one 
businessman  did.  He  gave  him  some 
money,  and  Lustig  left  town,”  says 
O’Horo. 

The  businessman  who  fell  for  the 
ruse  was  so  embarrassed  that  he  never 
alerted  officials,  and  Lustig  even  tried  to 
sell  the  Eiffel  Tower  once  more.  The  sec¬ 
ond  time,  he  was  not  successful. 

George 

Porker 

“AND  IF  YOU  believe  that,  I  have  a  bridge 
to  sell  you,”  is  a  common  expression 
today  thanks  to  con  man  George  Parker. 

Another  social  engineer  who  man¬ 
aged  to  sell  property  that  he  had  no  rights 
to,  Parker  was  able  to  convince  tourists 
that  he  owned  famous  landmarks  such 
as  the  Brooklyn  Bridge,  Madison  Square 
Garden,  the  Metropolitan  Museum 
of  Art,  Grant’s  Tomb  and  the  Statue  of 
Liberty,  according  to  social  engineering 
expert  and  author  Chris  Hadnagy,  who 
runs  the  website  social-engineer,  org. 

“He  was  known  for  selling  the  Brook¬ 
lyn  Bridge  a  couple  of  times  a  week  for  a 


few  years,”  he  says. 

Parker  would  produce  forged  docu¬ 
ments  that  claimed  he  was  the  legal 
owner  of  the  properties  he  was  trying  to 
sell.  In  the  case  of  the  Brooklyn  Bridge, 
victims  were  told  they  could  make 
money  by  controlling  access  to  the  road¬ 
way.  Parker  was  convicted  of  fraud  three 
times  and,  after  his  third  conviction  in 
1928,  was  sentenced  to  a  life  term  at  Sing 
Sing  Prison,  just  up  the  Hudson  River 
from  New  York  City.  He  died  in  prison 
in  1936. 


* 


Right  photo  by  Wikimedia  Commons 


February  2012  www.csoonline.com  27 


SOCIAL  ENGINEERING 


Stanley 
Mark  Rifkin 

IN  THE  1970s,  Stanley  Mark  Rifkin  was 
a  computer  repair  consultant  for  a  large 
bank.  In  October  1978,  he  did  work  for 
Security  Pacific,  where  he  took  an  eleva¬ 
tor  to  level  D,  the  site  of  the  bank’s  wire 
transfer  room.  The  bank  used  a  security 
code,  which  was  changed  daily,  in  the 
transaction  authorization  process.  Once 
inside  the  transfer  room,  Rifkin  memo¬ 
rized  the  code  (it  had  been  written  on  the 
wall)  and  left  without  arousing  suspicion. 

He  then  called  the  transfer  depart¬ 
ment  posing  as  Mike  Hansen,  an 
employee  of  the  bank’s  international  divi¬ 
sion.  Using  the  day’s  security  code,  he 
ordered  a  routine  transfer  of  funds  into 
an  account  at  Irving  Trust  in  New  York. 

Nothing  about  the  transfer  appeared 
to  be  out  of  the  ordinary,  and  Secu¬ 
rity  Pacific  transferred  $10.2  million  to 
Rifkin’s  bank.  Rifkin  moved  the  money 
to  another  account  in  Switzerland  and 
tried  to  launder  the  funds  by  purchasing 
diamonds.  At  the  time,  it  was  the  largest 
U.S.  bank  heist  in  history. 

“Eventually  he  was  caught,  but  he  had 
to  use  two  or  three  pretexts  and  lots  of 
social  engineering  to  pull  this  off,”  says 
Hadnagy. 


Charles 

Ponzi 

AN  ITALIAN  WHO  immigrated  to  the 
United  States  in  1918,  Charles  (original 
first  name  Carlo)  Ponzi  first  targeted 
friends  with  his  investment  scam.  He 
told  them  if  they  gave  him  money,  he’d 
double  their  investment  in  90  days,  citing 


*  great  returns  from  postal-reply  coupons. 

His  operation  grew  so  quickly  that 

*  some  eager  investors  mortgaged  homes 

« 

.  and  withdrew  life  savings  to  invest.  “He 
l  originally  learned  this  tactic,  which  we 

*  now  know  as  the  Ponzi  scheme,  from  a 
'  former  boss  when  he  was  working  at  a 

*  bank.  His  boss  was  paying  off  old  bank 

*  accounts  with  new  accounts  that  were 

» 

»  being  opened,”  says  O’Horo. 

Unfortunately  for  Ponzi,  the  entire 

*  business  was  being  run  at  a  loss.  It  was 

*  eventually  exposed  in  1920,  costing 

*  investors  millions.  He  spent  roughly  a 

*  decade  in  prison  on  federal  and  state 

*  charges  before  being  deported. 


;  Frank 
\  Abagnale 

\  THE  INSPIRATION  FOR  the  movie 


*  Catch  Me  If  You  Can,  Frank  Abagnale  was 

*  a  social  engineer  who  forged  hundreds  of 

*  checks  in  the  1960s  and  was  able  to  con- 

*  vince  Pan  Am  employees,  and  many  oth- 

*  ers,  that  he  was  an  airline  pilot. 

“In  the  end  he  forged  $2.5  million  in 
’  checks  and  flew  over  1  million  miles  as  a 

*  fake  pilot,”  says  Hadnagy.  “He  also  pre- 

*  texted  as  a  doctor,  lawyer  and  teacher’s 

*  assistant.  He  was  labeled  one  of  the 

*  greatest  con  men  in  history.” 

Look  official,  act  official,  and  people 

*  will  often  think  you  are  official. 


28  www.csoonline.com  February  2012 


Top  left  photo  by  Corbis;  above  photo  courtesy  of  Frank  Abagnale 


off  earlier  investors. 

“It  boils  down  to  a  confidence  crime,” 
says  Siciliano.  “He  was  always  able  to 
provide  enough  information  to  make 
people  comfortable  so  they  would  want 
to  be  in  on  the  next  move.  Madoff  created 
all  his  own  documentation— literally  just 
created  everything  to  make  it  look  like 
the  numbers  continually  grew.” 

Siciliano  notes  Madoff  recruited  new 
investors  through  friends  and  family. 

“Everyone  fell  for  the  old,  ‘You  do 
business  with  the  people  your  friends 


and  family  trust,’  line,”  he  says. 

Of  course,  this  is  just  another  varia¬ 
tion  on  Ponzi’s  scheme,  which  Ponzi 
learned  from  someone  else.  Fraudsters 
and  social  engineers  can  often  get  by 
with  more  charisma  than  cleverness- 
most  schemes  we  see  today  have  been 
around  for  ages. 

Madoff’s  just  happened  to  be  worth 
$65  billion  or  so.  ■ 


Reach  Senior  Editor  Joan  Goodchild  at 
jgoodchild@cxo.com. 


Kevin 

Mitnick 


KNOWN  AS  THE  man  who  popularized 
the  term  “social  engineering,”  Kevin  Mit¬ 
nick  was  convicted  of  a  number  of  com¬ 
puter  crimes. 

He  hacked  into  Pacific  Bell’s  voice 
mail  computers,  copied  proprietary  soft¬ 
ware  from  some  of  the  country’s  largest 
cell  phone  and  computer  companies, 
stole  passwords,  altered  networks,  and 
broke  into  and  read  others’  private  email 
messages. 

“What  made  him  successful  was  the 
documentation  he  had  access  to,”  says 
Siciliano. 

“He  would  dumpster  dive  and  get 
things  so  he  could  learn  the  language 
of  the  people  he  was  social-engineering. 
When  he  got  on  the  phone,  he  was  just 
like  them.  And  he  could  provide  them 
with  enough  confidence  that  they  would 
give  up  the  data.” 

Like  Abagnale,  Mitnick  is  now  a  secu¬ 
rity  consultant  and  speaker. 


Bernie 

Madoff 


A  MODERN-DAY  PONZI,  Bernard 
Madoff  now  resides  in  federal  prison  in 
Butner,  N.C.,  serving  a  150-year  sentence. 

Madoff’s  wealth-management  busi¬ 
ness  (called  Ascot  Partners,  for  you 
trivia  buffs)  was  revealed  in  2008  to  be 
fraudulently  receiving  funds  from  new 
investors  and  using  that  money  to  pay 


Top  photo  by  Corbis 


February  2012  www.csoonline.com  29 


[  INDUSTRY  VIEW] 

By  Jason  Clark,  Websense 


Mind  Your  IP:  4  Safety  Tips 


fPiteoc 
jptiwee 
Wrrm  i 
•'cwcurr  i 
Am  COnc 


MCK6 


Do  you  think  data  breaches  are 
up  or  down  in  2011  compared 
to  2007  or  2008?  The  official 
answer  may  surprise  you. 
According  to  DatalossDB 
and  the  “Data  Breach  Investigation  Report” 
by  Verizon,  the  number  of  records  compro¬ 
mised  per  year  has  been  decreasing  since 
its  2008  peak.  But  these  reports  are  miss¬ 
ing  something  very  important.  It  all  comes 
down  to  what  is  reported.  Last  year  I  met 
with  more  than  450  CIOs  and  CSOs,  and 
almost  all  of  them  said  that  incidents  are 
way  up.  New  breaches  are  constantly  mak¬ 
ing  headlines,  so  why  is  there  a  discrepancy 
between  our  perception  and  what  these 
reports  are  finding? 

Many  industry  reports  focus  on  the 


never-ending  stream  of  leaked  or  stolen 
personally  identifiable  information  (PII). 
Most  laws  and  industry  standards,  such  as 
PCI  DSS,  also  concentrate  on  PII.  But  there 
is  something  that  could  be  more  dangerous 
to  lose  than  PII  and  that  isn’t  getting  enough 
attention  in  data  breach  reports— intellec¬ 
tual  property  (IP). 

As  records  show,  stealing  PII  (credit 
cards,  social  security  numbers,  and  so  on) 
used  to  be  big  business  for  cybercrimi¬ 
nals.  Then  it  started  to  get  a  bit  harder  for 
hackers  to  get  PII  because  overall  aware¬ 
ness  increased  as  more  regulations  were 
passed  and  organizations  started  to  invest 
in  information  security  solutions.  Veri¬ 
zon’s  “Data  Breach  Investigation  Report” 
states,  “Our  leading  hypothesis  is  that  the 


successful  identification,  prosecution,  and 
incarceration  of  the  perpetrators  of  many 
of  the  largest  breaches  in  recent  history  is 
having  a  positive  effect.”  Researchers  also 
suggested  that  there  are  fewer  hackers  and 
the  threat  they  pose  is  losing  prominence.  I 
believe  protection  enforcement  is  a  factor  in 
the  reduction  of  PII  theft,  but  I  don’t  believe 
there  are  fewer  bad  guys  out  there.  In  fact, 
quite  the  opposite:  The  threat  has  never 
been  greater  than  it  is  now. 

The  new  big  thing  is  stealing  IP,  which 
includes  product  designs,  secret  formulas, 
and  other  trade  knowledge.  It’s  what  orga¬ 
nized  cybercrime,  state  governments  and 
hackers  are  all  going  after.  Why?  Mostly 
because  of  the  value  of  the  data.  One  stolen 
manufacturing  process  can  be  worth  mil- 


30  www.csoonline.com  February  2012 


Illustration  by  Carl  Spackler 


lions  in  saved  development  costs  or  billions 
in  market  share. 

Not  protecting  IP  is  a  huge  mistake  for 
companies  and  countries  alike.  Intellectual 
property  is  what  makes  modern  nations 
competitive  in  the  world  economy.  It  fuels 
innovation  and  development,  and  it  keeps 
you  ahead  of  the  competition. 

What  do  CSOs  think?  More  than  70  per¬ 
cent  of  the  CIOs  and  CSOs  I  spoke  with  last 
year  said  their  IP  is  under  attack.  Yet  only 
30  percent  of  them  have  data-loss  preven¬ 
tion  (DLP)  tools  in  place.  And  most  of  them 
do  not  have  software  to  protect  their  data  in 
the  cloud  or  on  mobile  devices,  which  are 
the  two  big  new  blind  spots  that  they  need 
to  wony  about. 

Why  IP  Loss  Isn’t 
Making  Headlines 

First,  no  one  is  making  companies  disclose 
IP  loss.  When  PII  is  exposed,  laws  such  as 
HIPAA  and  HITECH  demand  companies 
disclose  that  information,  but  no  similar 
laws  exist  for  IP  loss.  Only  the  SEC  has 
come  out  and  said  that  if  IP  is  stolen  and 
that  could  have  material  financial  impact 
on  your  company,  you  should  disclose  that. 
For  example,  if  a  competitor  in  China  gets 
your  IP  and  could  manufacture  a  similar 
product,  you  should  disclose  that. 

Second,  companies  often  have  no  idea 
when  their  IP  is  compromised.  When  credit 
card  numbers  and  other  PII  is  hacked,  you 
tend  to  find  out  quickly  because  the  bad 
guys  make  money  on  the  breach.  They 
quickly  sell  the  credit  card  information  on 
the  black  market,  and  that  data  gets  used. 
At  that  point,  the  banks  know  the  card 
numbers  were  stolen  and  the  forensic  trail 
leads  back  to  the  hack.  Most  companies 
know  the  importance  of  protecting  PII  and 
have  controls  to  prevent  and  detect  hacks. 
But  IP  is  perceived  as  harder  to  protect  and 
hasn’t  been  a  major  focus  for  companies. 
The  reality  is  that  IP  is  the  hottest  target  for 
cybercriminals,  your  competitors  and  mali¬ 
cious  employees.  It  will  only  get  worse. 

Third,  the  bad  guys  know  how  to 
sidestep  traditional  defenses.  They  use 
a  common  blind  spot  in  most  companies’ 
defenses— SSL.  Most  anti-malware  secu¬ 
rity  solutions  don’t  look  out  for  man-in-the- 
middle  attacks  decrypting  the  SSL  traffic 
coming  into  the  network.  SSL  accounts  for 
up  to  50  percent  of  Web  traffic,  and  crimi¬ 


nals  know  that  most  IT  security  systems  do 
not  inspect  it. 

Fourth  and  finally,  DLP  software  isn’t 
being  used  to  its  fullest  potential.  Most 
companies  aren’t  looking  at  the  SSL  traf¬ 
fic,  but  as  services  such  as  Gmail  move  to 
automatically  send  all  traffic  to  SSL,  this 
becomes  more  of  an  issue.  If  you  don’t 
inspect  in  SSL,  your  DLP  solution  is  giving 
you  a  false  sense  of  security. 

Four  Ways  to  Protect  Your  IP 

We  need  to  protect  our  most  valuable  asset, 
IP,  from  criminals’  attempts  to  steal  and 
subvert  it.  This  is  one  of  my  focus  areas,  and 
here  are  three  steps  I  recommend  for  better 
protecting  your  sensitive  information: 

1.  Get  DLP,  but  forget  the  endless 
discovery  process.  Gartner  Research 
says  that  about  30  percent  of  companies 
have  DLP  and  another  30  percent  are 
considering  it.  But  the  massive  “discover 
everything”  process  that  vendors  often  rec¬ 
ommend  is  ridiculous.  Here’s  all  you  need 
to  do  to  get  started:  Understand  what  IP  is 
the  most  valuable  1  or  2  percent  and  protect 
it  accordingly.  I  care  less  about  where  every 
nugget  of  information  is  than  I  do  about  the 
crown  jewels. 

2.  Educate  your  teams  on  the  right 
practices  for  handling  this  data.  Again, 
this  is  about  the  1  or  2  percent  that’s  the 
most  valuable  data  you  have.  Work  with 
the  people  who  have  access  to  this  data, 
including  the  Board  of  Directors  and  engi¬ 
neers.  Talk  to  them  about  how  to  handle 
this  data  and  set  good  controls  for  admins. 
Eliminate  admin  rights  on  desktops.  Then 
reinforce  the  training  through  mock  social 
engineering  attempts  and  penetration  test¬ 
ing.  I  use  sites  like  PhishMe.com.  There  are 
good  companies  out  there  that  can  help  you 
with  this  and  measure  the  success  of  your 
education  efforts  over  time. 

3.  Reinforce  your  education  with 
technology.  In  addition  to  DLP,  you  need 
a  few  must-have  protections  for  secur¬ 
ing  your  top  data.  You  need  to  be  able  to 
monitor  your  two  biggest  communications 
channels  (Web  and  email)  for  outbound 
data  and  you  need  to  be  able  to  stop  it  in 
its  tracks.  (Disclosure:  Yes,  this  is  what 
my  company’s  products  do.)  Identity-  and 
access-management  tools  are  increasingly 
useful  for  ensuring  that  data  doesn’t  fall 
into  the  wrong  hands.  And  using  security 


How  much  would  your 
company  lose  if  its 

IP  was  stolen 

by  a  competitor 
overseas,  where 
IP  protection 
isn’t  enforced? 

information  and  event  management  soft¬ 
ware  with  a  solid  log-management  tool 
(that  you  actually  pay  attention  to)  can  help 
you  identify  suspicious  behavior  and  follow 
it  all  the  way  through  to  remediation  of  the 
threat.  Be  diligent  here,  and  add  your  find¬ 
ings  to  training  materials.  Because  while 
the  reporting  features  of  these  tools  are 
getting  better,  you  still  need  to  have  highly 
trained  eyes  regularly  analyze  the  output  to 
ensure  that  you  are  truly  protected. 

4.  Focus  on  your  blind  spots.  Your 
biggest  IP  data  blind  spots  are  on  your 
mobile  devices,  in  cloud  services  and  in  SSL 
traffic.  Make  sure  to  pick  a  strategy  and 
solutions  that  can  give  you  visibility  into 
these  areas  as  more  and  more  of  your  data 
moves  off  your  controlled  network.  Don’t 
forget  to  include  consumer  cloud  services 
such  as  Dropbox  and  Box.net. 

It’s  Time  to  Pay  Attention  to  IP 

In  early  2011,  Nasdaq’s  director’s  desk  was 
hacked.  Imagine  how  much  money  cyber¬ 
criminals  could  make  if  they  had  visibility 
into  your  company  dealings  the  way  they 
did  with  that  breach.  The  Nasdaq  hackers 
could  have  made  billions  by  trading  with 
this  insider  information,  which  is  far  more 
than  they  could  have  made  stealing  credit 
card  numbers. 

Think  about  your  company’s  crown  jew¬ 
els.  How  much  would  your  company  lose  if 
its  IP  was  stolen  by  a  competitor  overseas, 
where  IP  protection  isn’t  enforced?  The 
trend  of  hackers  going  after  IP  is  just  get¬ 
ting  started  and  will  grow  rapidly  in  the 
next  two  years.  But  there  are  ways  you  can 
protect  your  IP  and  save  your  company 
serious  headaches.  Feel  free  to  contact  me 
on  Linkedln  to  discuss  this  in  more  detail. 
If  you  have  questions  or  want  to  connect 
and  network,  drop  me  a  message.  ■ 


Jason  Clark  is  CSO  ofWebsense. 


February  2012  www.csoonline.com  31 


[  debriefing] 


The  Evolution  of  Authentication 


One-Factor 

Authentication 

Something  you  know 

(password) 


Two-Factor 

Authentication 

Something  you  know 

(better  password) 

+ 

Something  you  have 

(access  card) 


Three-Factor 

Authentication 

Something  you  know 

(strong  password) 

+ 

Something  you  have 

(dongle,  widget,  doodad) 


Real-World 

Strong 

Authentication 

Something  you  know 

(incomprehensible 
gibberish  written  on 
sticky  note  in  wallet) 

+ 

Something  you  have 

(smartphone  with 
sandboxed  near-field 
communication  IDapp) 

+ 

Something  you  are 

(that  you  don’t  mind 
putting  into  a  reader) 

+ 

Something  borrowed, 
something  blue 

+ 

There's  Something 
About  Mary 

(on  BluRay,  which 
doesn’t  count  for 
previous  category, 
even  if  borrowed) 


(Or  just  use  your 
Facebook  login!) 


+ 

Something  you  are 

(voiceprint,  fingerprint) 


32  www.csoonline.com  February  2012 


Illustration  by  Steve  Traynor 


“You  spelled  ‘confidential’  wrong’.’ 


3M™  Privacy  Screen  Protectors  offer  you  a  crisp,  clear  view  of  your  tablet 
or  smart  phone  screen  while  blocking  wandering  eyes  from  seeing  sensitive  data. 
To  learn  why  visual  privacy  is  an  important  part  of  any  data  security  plan, 
download  the  white  paper  at:  3MPrivacyFilters.com/security 


3M  Privacy  Screen  Protectors.  Display  good  judgment. 


©3M2011 


3M 


mmmzttoo  oo 

oooa^piooQQeK: 
oooooooonna  ,^*^r<.r^XXXAr-^ 

lf®^g%02oojg88oo^ 

^^5^fel^S^0000§§§0 

?^3Sl8oo8§i§§800 
%§  °§0§0§° 

MIMS 

^^^^^00OnR§lQODnR§Q 

^X^OnR2QQO§nR9900° 


wpm. 

Q^OoRxgQ 


Discover  new  technologies  and  develop  your  business 


PA YHEJJ 
MOB"-1  tlEsS 

conta^teCur|TV 

D|G|TAhrATI°N  ,  pc 
lDENj'^HN0U°e|ES 

5;0r>cAr,°" 


enticaTIU  f»r 

CARJrfhAnieriCa 


Exp° 


PS 


- 


BE  PART 

OF  THE  SMART  SECURITY 

AND  ADVANCED  PAYMENTS  EVENT 


imeria 


an  event  by 

comq><hosium 

The  piece  ta  be 


More  event  news  and  information  to  exhibit,  to  speak  or  to  attend  on 

www.cartes-NorthAmerica.com 


